E2EE Proposal: Simplified encryption key verification

[unclechu]

Let's imagine a situation I have Desktop encryption key which is verified by an interlocutor (he is trusting this key/"device"). Later I signed in from my mobile phone and now I also have Mobile key, the interlocutor is getting warning there's not verified key in a room. What I usually do in real life?

1. Writing from Mobile device to the interlocutor: "This is my new device";
2. Writing from Desktop (verified by the interlocutor): "I confirm this is my new device, please verify".
   So I do it by my bare hands and when I have many PM rooms it could be pretty annoying doing it everytime I'm entering from new device, new OS, GUI, etc.

I think it could be simplified by signing public keys by private keys from by key owner (by me in context of that example). Like I could sign public Mobile key by my Desktop private key. So if you trust (verified) my Desktop key, you automatically trust my Mobile key which is signed by my Desktop key.

In an imaginary situation what do I do as an owner of the keys?

1. Entering from a new device (from Mobile), new key is appeared;
2. From my Desktop account I go to my devices list (e.g. in Riot) and click on sign this device on my Mobile device;
3. An interlocutor who trust my Desktop key now is trusting my Mobile key automatically, if signature by Desktop key is correct.

P.S. If Desktop key is removed by me, or an interlocutor blacklisted it, Mobile isn't trusted anymore, unless it is verified by bare hand.
P.P.S. In Riot different "trust" icon also could be used, to notice that this key is trusted by a signature of another trusted key.

[uhoreg]

The related riot-web issue is element-hq/element-web#2714

[ara4n]

yup, i think you're asking for cross-signing here, which @uhoreg and @dbkr are working on currently, and the canonical bug for which is element-hq/element-web#2714.