PFS relies on a piece of data to be exchanged between the users to allow a “secure channel” to be established (any messages exchanged through a secure channel have pfs properties).
A secure channel can be established currently in a few ways:
- Through public chats
- Through contact codes
Which means that if you send a direct message to a user who you added through a contact code (we changed the format), or you have received a message from the user in any public chat, the app works exactly as before.
In a few cases though that is not the case:
- You add the user through a public key
- You use ENS (ENS support might come but not in the initial version)
In those cases a secure channel cannot be established until the receiving user replies to our message.
Until more solid options are available (IPFS, Swarm), we need to consider the possibility of this happening and we need to find a way to handle it, until then we will add more ways to establish a secure channel.
To handle this there are a couple of options available:
Force all users to exchange a contact request before sending message
This is basically the same as Facebook, whereby if you want to communicate with user B you would first send them a contact request, which need to be accepted before any communication takes place.
Only require users to establish a secure channel when that cannot be done
This would only apply to the cases mentioned above, which should be the minority:
- adding by public key will be replaced by contact codes
- ENS is not live yet as I understand, and by the time it goes live we might be able to cover this scenario as well.
To give a concrete example of what a user flow might look like in this scenario:
- Users A adds user B public key, when they open a chat they see a message: “We could not establish a secure channel, a request has been sent, we need to wait for a reply from blah until any message can be securely sent” (this can be signaled by an icon of an open lock pad or similar)
- User B sees a chat with a message “User B wants to establish a secure channel with you, would you like to do so?”
- Once user B accept, adds the user to contact or replies with a message a secure channel is established.
As a last option we could still allow the user to send messages, and find a way to warn/explain that until a user replies to them those messages have different security properties, but I would discard this as not desirable.
I personally feel that 2 sounds the most reasonable given that it should impact only a few cases and can be improved incrementally by adding more ways to establish a secure channel without user interaction.
What do you all think?