7.11 E2EE Meetings with Cryptographic Identity

Note: This feature is not currently available. We plan to release it in a future update. In Section 3 we describe how we leverage sigchains to build a strong multi-device notion of cryptographic user identity. We plan to leverage this notion in the context of E2EE meetings in order to strengthen the guarantees provided by security codes and IDP attestations in detecting and preventing MitM attacks. The server signature Sigi Server as described in Section 7.6.1 will also include the sigchain tails for the corresponding user, email, account, and ADN sigchains. These tails will also be included in the signed Bindingi generated in the “Participant Key Generation” procedure of Section 7.6.2, and in the zoom-identity-snapshot field of the IDP attestation (if one is used in the meeting). In a meeting, Alice’s client verifies Bob’s sigchains (and IDP attestation, if present) before Alice’s client displays identifiers for Bob in the UI. To do so, Alice’s client fetches Bob’s user sigchain (which includes IVKi), email sigchain, account sigchain, ADN sigchain. Alice’s client verifies the server signature Sigi Server, checks that the tails of the received sigchains match those in Sigi Server and in the Binding, checks that Bob’s latest sigchain is consistent with any previous retrievals of Bob’s sigchain, and verifies the IDP attestation if one is present (including checking that the sigchain tails included in the attestation match). As for IDP attestations, these checks might be performed asynchronously, or mandated before the host performs the key exchange to limit who can access a meeting. To minimize the need to request new attestations, users accept attestations that do not necessarily cover the latest sigchain tails as long as the new links added since the IDP’s snapshot do not revoke the device currently being used in the meeting and do not change the user’s email or account identifiers. The Zoom server will provide access control to ensure that sigchains are visible to other meeting participants only for a short duration after a meeting begins. If Alice has never been in a meeting with Charlie, Charlie will have no information regarding Alice’s sigchain’s contents, length, or update frequency.