3.3 Displaying Identity

3.3 Displaying Identity

Note: Displaying cloud identifiers is not currently available. We plan to release it in future updates.

This section describes how we could display the identity of a Zoom user to others in various products. Because cryptographic keys are not easy to read, compare, or keep track of, we only show human-readable identifiers in the user interface. A user’s set of identifiers consists of three components:

  1. A Cloud Identifier, which represents the cloud infrastructure a user’s information is hosted on (omitted if the user is on the Zoom commercial cloud)

  2. An Account Domain Name (ADN), which identifies the account that the user is part of, where applicable. Before the ZTT (Section 4) is deployed, the ADN will only be displayed for users whose identities are vouched for by a trusted third-party IDP (Section 5).

  3. An email address, which can be used to distinguish individual users within the account

Here are a few examples of how a user’s identifiers can be displayed to another user:

John Smith example.com (jsmith@example.net) The display name, “John Smith,” is freely chosen and not authenticated. example.com is the ADN. Note that the email domain, example.net, can differ from the ADN.

Lucy Lee example.org (lucy.lee@example.org) Since the example.org company works with the US government, their identities and keys are hosted on the separate Zoom for Government Cloud, and this is noted in the UI.

Anna Smith example.com Anna might decide not to disclose her email address but still be identified as a member of the example.com account. In this case, although the user’s email address would not be revealed, their devices’ long-term cryptographic public keys could be leveraged by a determined attacker to ascertain when they have interacted with the same device multiple times, even when the display name is altered.

Richard Roe Users can use some Zoom products as guests and display no identifying information to other users, other than the freely-chosen display name. Since they generate fresh long-term keys each time, the aforementioned tracing attack is not possible.

Mike Doe (mike.doe@example.com) Mike is associated with an email address but not an ADN.

Previous3.2 Cryptographic User IdentityNext3.3.1 Identifying Accounts

Last updated 3 months ago

Previous3.2 Cryptographic User IdentityNext3.3.1 Identifying Accounts