5.5 Zoom Identity Snapshots

The zoom-identity-snapshot field of an IDP attestation binds the email and ADN to the set of cryptographic keys that the client will use in their interactions and, in some cases, to their whole cryptographic identity by including the user and account sigchain tails. For example, in the context of E2EE meetings (Section 7.10), the snapshots currently include only the identity verification key IVK used by the device posting the attestation to join that specific meeting. In the future, once we start leveraging sigchains for identity in E2EE meetings, we will also include the sigchain tails in the snapshot. There are several advantages of binding to the full cryptographic user identity: devices will be able to share a single attestation, which would need to be updated only when it expires (a configurable interval) or when there are changes to the user’s identity, thus simplifying interactions with identity providers and improving the user experience. Note that these attestations of sigchain tails are not considered valid if the sigchain’s user has not reviewed all changes to their identity (e.g. reviewed newly added devices). In addition, because these attestations would cover the full history of a user’s cryptographic identity, any past misbehavior by the server is more likely to be detected.