Skip to content

MSC4161: Crypto terminology for non-technical users #4161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 56 commits into
base: main
Choose a base branch
from
Open

MSC4161: Crypto terminology for non-technical users #4161

Changes from 7 commits
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
5f08ae9
Initial commit for MSC4161: Crypto terminology for non-technical users
andybalaam Jun 27, 2024
32f386b
First draft
andybalaam Jun 27, 2024
cd26b70
Fix typo
andybalaam Jun 27, 2024
a7b5a77
Fix mis-formatted heading
andybalaam Jun 27, 2024
a79b289
Fix incorrect bolding
andybalaam Jun 27, 2024
89412cc
Ensure we are consistently saying Alice's identity appears to have ch…
andybalaam Jun 27, 2024
d15576e
Add another example for key storage
andybalaam Sep 5, 2024
af70e43
Link to MSC4153 where we mention it.
andybalaam Sep 5, 2024
720cdeb
Make the wording about resetting keys more precise.
andybalaam Sep 5, 2024
de285aa
Re-word the paragraph about the importance of verified identity chang…
andybalaam Sep 5, 2024
57fc5c1
Link to the spec equivalent wording for our recovery key
andybalaam Sep 5, 2024
a4b95b4
Re-word the paragraph about Invisible Crypto
andybalaam Sep 5, 2024
0499900
Propose being an appendix to the spec
andybalaam Sep 6, 2024
b919630
Add a section on what to say when a message can't be decrypted
andybalaam Sep 6, 2024
007a15f
Add a missing 's'
andybalaam Sep 6, 2024
45928bb
changes->changed
andybalaam Sep 6, 2024
3a2d012
Remove erroneous UTD message
andybalaam Sep 6, 2024
56b5daf
Mention that clients SHOULD follow this guide and document any except…
andybalaam Oct 7, 2024
fba4f5c
person->user
andybalaam Oct 7, 2024
9246021
Reword sentence on cross-signing
andybalaam Oct 7, 2024
0c9d812
Re-word the "Waiting for this message" sentence
andybalaam Oct 7, 2024
705f7bb
Add missing word "message"
andybalaam Oct 7, 2024
4bcee33
Remove unneeded 'private key' warning
andybalaam Oct 7, 2024
f654c2e
Re-word 'key-backup' paragraph to contrast with export.
andybalaam Oct 7, 2024
3c7695f
Make clear that 'insecure device' is permitted
andybalaam Oct 7, 2024
7a789c5
Remove 'cryptographic' before 'identity', and also tone down the warn…
andybalaam Dec 17, 2024
3ed51ec
Link to spec sections on QR and emoji, and transitive trust MSC
andybalaam Dec 17, 2024
b44397b
Add a section about why this is important
andybalaam Dec 17, 2024
04df819
Add a paragraph about losing the recovery key
andybalaam Dec 17, 2024
bdbd7b4
Remove the 'appears to have changed' wording and add explanation
andybalaam Dec 17, 2024
7a9a84b
Note that older spec versions say 'recovery key'
andybalaam Dec 17, 2024
c13bd45
Add an Alternatives section about device and session
andybalaam Jan 31, 2025
d087885
Add a note about the Devices section depending on MSC4153
andybalaam Jan 31, 2025
a938372
Re-write key storage and recovery
andybalaam Jan 31, 2025
9cacbe7
Rename 'reset recovery' to 'change recovery key'
andybalaam Feb 3, 2025
0a449f6
Remove recommendation against recovery code
andybalaam Feb 3, 2025
f4de07d
Use a comma instead of a dash to avoid looking like a bullet point.
andybalaam Feb 4, 2025
2954056
Only unverified devices that have published keys are an error
andybalaam Feb 4, 2025
ecfd1ad
Link to the equivalent spec names for key storage and recovery
andybalaam Feb 4, 2025
6754d25
Use assertive language rather than "we propose"
andybalaam Mar 20, 2025
00993d9
Allow either 'device' or 'session'
andybalaam Mar 20, 2025
2f2c745
Be more assertive about updating the spec where relevant.
andybalaam Mar 20, 2025
bb56dff
Be more vague about where this lands in the spec
andybalaam Mar 20, 2025
4a943ef
Improve explanation of why to avoid 'device keys'
andybalaam Mar 20, 2025
8ede8fc
Tweak comments about loss of devices
andybalaam Mar 20, 2025
d68f033
Clarify who should be warned on identity reset
andybalaam Mar 20, 2025
0cc24c5
Make clear that bolded terms are normative.
andybalaam Mar 20, 2025
ba56376
Add missing quotation prefix
andybalaam Mar 20, 2025
b7f3f8b
Proposal language for double ratchet sentence.
andybalaam Mar 20, 2025
9976599
Remove MSC4153 material - it has been proposed to be added in MSC4153
andybalaam Mar 20, 2025
40c268d
Note that Element is using this as a reference
andybalaam Mar 21, 2025
cc83a41
Call out the situation when UTD is because of an error
andybalaam Mar 21, 2025
30acaac
Explain a little more what a recovery passphrase actually is
andybalaam Mar 21, 2025
38e2f25
Provide a list of references for using the word identity
andybalaam Mar 21, 2025
fa893e1
Add more alternatives to device
andybalaam Mar 21, 2025
d7ed82b
Reword 'identity was changed' to 'identity has been reset'
andybalaam Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
278 changes: 278 additions & 0 deletions proposals/4161-crypto-terminology.md
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation requirements (in my opinion):

  • User research to show these terms as helpful and easily understood.

The research may be done through studies or deployment to a portion of the user base with analytics to show "easier" use of the app.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having discussed this briefly with the SCT, the actual implementation requirements are more along the lines of requiring Element to implement this MSC. This is because of the client's large user base, allowing us to determine if the terms appeal to users in that kind of environment.

Other clients can and should implement this MSC still, however. Those implementation would further add data to the terms proposed in this MSC, either favourably or otherwise :)

Original file line number Diff line number Diff line change
@@ -0,0 +1,278 @@
# MSC4161: Crypto terminology for non-technical users
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me start with the positive note - I believe that, at this stage in Matrix evolution, this initiative is very worth while. I think that we need to unify and clean up the language used throughout Matrix, and that is not specific to the cryptography part. That being said, I think we have to answer a fundamental question before we go for this.

This is one of the first, if not the first, MSC that entirely focuses on recommendations to user interfaces and user experience rather than APIs and call flows. If we are to enter the UI/UX guidelines territory, I would prefer that we first agree whether the SCT remit and capability extends there, and how far. A few comments below have what I think needs further discussion. TL;DR (but please respond under specific comments):

  1. Mainly to SCT: can we make sure this MSC does not end up a single shot and establish a way to further contribute in the same direction?
  2. Mainly to SCT: if (1) is positive then we may have to do something about our expertise on the subject. I don't think we have enough of it onboard.
  3. To the MSC authors: external references?
  4. To the MSC authors and for an eventual spec PR: can we separate the glossary from the phrasebook and treat them differently? The glossary has much higher inertia among users while the phrasebook can be altered and extended faster without consequences for the ecosystem.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this MSC as a comprehensive document really covering the ground - and that's fine. I don't believe we should even focus on cryptography, it's just one of more technically advanced areas where we ended up exposing too much of protocol internals to the users. I'm totally happy to start with this but I don't want this MSC to be the start and the end. It would be great to see more effort, from the entire community, on improving UX in Matrix for different user categories. It would be disappointing if this MSC becomes a lonely shot in the direction of UI/UX guidelines.

I don't have a clear path but I know it should be more than an appendix, linked to from the CS API spec. We'll probably have to do some advocacy to raise awareness; we'll also need to think about i18n and l10n to extend good wording to other languages than English (we have prior experience on that!); probably there are more areas. I recognise that everybody signals ENOTIME at this point of reading but I don't see the point in going further with this MSC if we don't treat it as a part of something bigger.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we at SCT have experience and expertise on the subject. Being one of those covering the clients domain area, I may have to go for some research and self-education before I can responsibly make decisions on this. And/or we might have to call someone in who has appropriate background. Fortunately, Matrix is used by some UI-conscious communities (GNOME, in particular) so we might not need to search too far away.

This is especially critical given how much bike-shedding this subject may cause - particularly around the words and phrases shown in the UI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Speaking of this MSC: I would appreciate having more external references. So far the MSC looks like a result of the original research breaking new ground, with minimal prior art. There's probably just a couple of places where other platforms are mentioned, and there are no references to decentralised platforms like E-mail or Web (GMail is not decentralised). It would be great to make sure at least some research has been done if we are to officially endorse specific terms.

For example: next to others, I'm not a fan of "devices", I really believe it's a misnomer we borrowed from centralised mobile-first platforms. I can still grudgingly accept it if we couldn't find a better alternative. But the only discussed alternative was "session", which I agree is (even) weaker. I was surprised that "clients" (taken from e-mail), or "applications/apps" (desktop and mobile environments) are not even namechecked.

Or consider "identity" - I don't know if it's good or bad because I don't see the research behind the choice. I only know it's difficult to translate it to Russian and a few other Slavic languages and, separately, that it confused me when I stumbled on "the identity has changed" wording in WhatsApp. Maybe there's something better, maybe there isn't - it's not clear from the MSC.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can adjust phrases but the fundamental vocabulary is not something we can "iterate" easily on; once end users (especially non-technical) get used to it, they won't appreciate changes if/when we discover that something doesn't really work. I would suggest that we actually spec the glossary, leaving specific phrases to a lighter "implementation guide" kind of a document. The implication here is that the glossary is something we actively promote as the standard way to express things in Matrix (and tbh I would really consider it being universal, without "technical/non-technical" separation), while the phrases would be a sort of reference for client authors that we can change quicker, probably without MSCs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Speaking of this MSC: I would appreciate having more external references
...
Or consider "identity" - I don't know if it's good or bad because I don't see the research behind the choice...

This is a very good point. I have attempted to provide some external references in 38e2f25 - if you like the general style of this I can try to do it for some other words.

In some cases I think what we are doing in the MSC is just standardising words that are already in use, so maybe the references should rather be to existing Matrix clients - what do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest that we actually spec the glossary, leaving specific phrases to a lighter "implementation guide" kind of a document.

We could definitely do a split like this if there is support for it. So far I have thought of what we are doing as a glossary, with the words in bold as normative, and the additional words used for explanation of the glossary, not necessarily an implementation guide. So I am not yet personally convinced that we need a split, but maybe we could make it clearer that the examples are for explanation purposes?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we at SCT have experience and expertise on the subject. Being one of those covering the clients domain area, I may have to go for some research and self-education before I can responsibly make decisions on this. And/or we might have to call someone in who has appropriate background. Fortunately, Matrix is used by some UI-conscious communities (GNOME, in particular) so we might not need to search too far away.

I'd certainly welcome input from people with other expertise - this is so far mainly constructed from observing words already in use in multiple Matrix clients, and with expert input from product management and design professionals within Element. We have made adjustments based on input from other clients and community members too, but have not managed to get a huge amount of engagement.

However, I'd be keen not to add an impossible barrier to this MSC. Even if it needs improvements later (which I agree could be painful) I think it can improve the lives of users soon after it is merged, and if it is never merged we will never see those improvements.

Copy link
Member Author

@andybalaam andybalaam Mar 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

1. Mainly to SCT: can we make sure this MSC does not end up a single shot and establish a way to further contribute in the same direction?

I believe MSC4270 is an attempt to address this comment by establishing a context within which this MSC can be applied.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example: next to others, I'm not a fan of "devices", I really believe it's a misnomer we borrowed from centralised mobile-first platforms. I can still grudgingly accept it if we couldn't find a better alternative. But the only discussed alternative was "session", which I agree is (even) weaker. I was surprised that "clients" (taken from e-mail), or "applications/apps" (desktop and mobile environments) are not even namechecked.

Thanks, I added more alternatives in fa893e1 . I personally don't think there are better words than "device", but we can try! btw I'm not sure how "devices" is related to being centralised? (I do see how it's from mobile-first platforms, and I think we should embrace that a little since it is how so many people engage with messaging.)


## Background

Matrix makes use of advanced cryptographic techniques to provide secure
messaging. These techniques often involve precise and detailed language that is
unfamiliar to non-technical users.

This document provides a list of concepts and explanations that are intended to
be suitable for use in Matrix clients that are aimed at non-technical users.

Ideally, encryption in Matrix should be entirely invisible to end-users (much as
WhatsApp or Signal users are not exposed to encryption specifics) - as outlined
in [MSC4153](https://github.com/matrix-org/matrix-spec-proposals/pull/4153).
However, consistent terminology is still required, especially during the
transition period to Invisible Cryptography.

## Goals

We hope that Matrix client developers will like the terms and wording we
provide, and adapt their user interfaces and documentation to use them. (If this
MSC is accepted, Element will use it as a reference for English wording in its
clients.)

Where concepts and terms exactly match existing terms in the Matrix spec, we
propose changing the spec to use the terms from this document. Where they do not
match, we are very comfortable with different words being used in the spec,
given it is a highly technical document, as opposed to a client user interface.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe it makes total sense to see harmonised but different vocabularies in the API specifications and UI guidelines. In case of UI I would suggest providing some acceptable alternatives to primary key words, as well as known-bad options (this MSC already has those in a few places). Having these helps translators a lot to find the best equivalent in other languages.


We hope that this MSC will:

* Cause small changes in the spec (as described in the previous paragraph), and
* Become a document, blessed by the spec core team and available on the spec web
site, but probably separate from the spec proper.

Clients may, of course, choose to use different language. Some clients may
deliberately choose to use more technical language, to suit the profiles of
their users. This document is aimed at clients targeting non-technical users.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that the proposed language is actually aimed solely at non-technical users. I'm sure it will bring better Matrix experience to technical users who haven't seen the protocol specifications, just as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but I want to make sure the scope of this document is as clear as possible, to avoid unnecessary debate about issues that are more technical than the issues addressed here.


Where changes are made in the spec, we suggest that notes be added mentioning
the old name, as in [this
example](https://github.com/matrix-org/matrix-spec/pull/1819/files#diff-8b25d378e077f18eb06ebdb9c376e194c8a4c8b95cf909fca6448659a627f283R1326).

## Proposal

When communicating about cryptography with non-technical users, we propose using
the following terms and concepts.

### Devices

Instances of a client are called 'devices' (not 'sessions'). Aligned with
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's worth noting that Element-Web does not follow this advice today: the list of active devices are visible on the "Sessions" tab:

image

MAS talks about sessions too:

image

Note "3 active sessions".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a thing that's been bugging me about this. Are "devices" and "sessions" even the same thing? MAS is primarily talking about server-side sessions which correspond to access tokens. But when we are talking about cryptography, we don't mean that but something which is exclusively client-side and corresponds to cryptographic key material.

Sure, there is often a correspondence between the two, but they are not the same thing. They are not even necessarily 1-to-1 given there are client instances which have no cryptography enabled.

So is the terminology problem partly caused by our stumbling over this difference without realising it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 00993d9 to allow either device or session. It's clear that there is no consensus in the community about which word to use, so we take the slight hit of having 2 words, but we avoid clients having to diverge from this proposal.

As for @dkasak 's comments: I think there might be something very helpful there, but I think it's too low-level for this proposal.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andybalaam Do you have any suggestions where else we can take it? It's a bit of a fear of mine that the wording used in this MSC, should it get accepted, will interfere with the established technical wording in the spec. Both this MSC and the spec talk about "devices", but they really mean (related but ultimately) different things, don't they?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually think devices here are quite close to what the spec means when it says devices. Where do you see a difference?

In general, I'm not sure where we should take your comments. If you want to propose a change to the wording used in the main spec, I suppose a separate MSC would be the best way.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my complaint is primarily that the existing treatment of devices in the spec is ambiguous and somewhat confused. This MSC purports to improve the terminology but is not actually disentangling this ambiguity but rather doubling down on it.

In particular, we do not properly disentangle between:

  1. Physical devices or client installations.
  2. Cryptographic devices, i.e. the data structures representing the root of trust and authenticity of a given installation via cryptographic means. This roughly corresponds to the DeviceKeys struct in the spec.
  3. Server-side or MAS-side sessions.

There are some loose business logic relations between these concepts but they are distinct concepts. The current spec treats them somewhat interchangeably, ambiguously referring to all of them as "devices". My argument is that each of these concepts should get its own term and that the relationships between them ought to be unambiguously described using those terms.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A question that arose in discussion with the SCT: do we actually need to specify "sessions" vs "devices"? Maybe this is something that we can leave up to individual clients, and users will figure it out?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from earlier discussion with some of the SCT: we can probably just shorten this to something like:

Suggested change
Instances of a client are called 'devices' (not 'sessions'). Aligned with
Instances of a client are preferably called 'devices' (or 'sessions' as a second choice). Aligned with

The spec would then use devices.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this MSC here 00993d9 with similar language to the above, with a slightly more even-handed wording. Given the strength of feeling on this issue I don't want to describe 'sessions' as a second choice, but rather an alternative.

MSC4153, we take it as granted that all devices have been cross-signed by the
user who owns them, and we call these **devices**.

Devices which have not been cross-signed by the user are considered an error
state, primarily to be encountered during the transition to MSC4153 and/or due
to buggy/incomplete/outdated clients. These devices are referred to as **not
secure** and presence of them are considered a serious and dangerous error
condition, similar to an invalid TLS certificate.

> "This device is not secure. Please verify it to continue."

> "Ignoring 5 messages that were sent from a device that is not secure."

> "Confirm it's you" (when asking to verify a device during login)

⚠️ Avoid saying "secure device". All devices are considered secure by default;
the user doesn't typically need to worry about the fact that insecure devices
are a thing, given they should only ever occur in error (or transitional)
scenarios.

⚠️ Avoid saying "trusted device" or "verified device". Devices are not people,
and it is helpful to use different language for people vs. devices. (However, we
do use the verb "verify" to describe how to make a device secure. By using the
same verb, we help users understand the confusing fact that verifying devices
and verifying people are similar processes, but with different outcomes.)

⚠️ Avoid using "cross-signing", which requires a deeper understanding of
cryptography to understand.

⚠️ Avoid mentioning "device keys" - a device is just secure or not.

⚠️ Avoid "session" to mean device. Device better describes what most people
encounter, and is more commonly used in other products.

### Verified person

When you verify a person they become **verified**. This means that you have
cryptographic proof that no-one is listening in on your conversations. (You need
this if you suspect someone in a room may be using a malicious homeserver.)

In many contexts, most people are **not verified**: verification is a manual
step (scanning a QR code or comparing emojis). (In future, verification will
probably become more common thanks to "transitive trust" or "key transparency").
When an unverified person resets their cryptographic identity, we should warn
the user, so they are aware of the change.

If a verified person's cryptographic identity changes (i.e. they reset their
recovery key) then this is very important: we verified them because we care
about proof that no-one is listening, and now someone could be. The user can
choose to **withdraw verification** (i.e. "demote" them from being verified), or
**re-verify** them. Until they do one or the other, communication with them should
contain a prominent and serious warning that the user's **verified identity has
changed**.

> "This person is verified."

> "WARNING: Bob's verified identity has changed!"

> "You verified this person's identity, but it has changed. Please choose to
> re-verify them or withdraw verification."

⚠️ Avoid using "cross-signing", which requires a deeper understanding of
cryptography to understand.

⚠️ Avoid using "trust on first use (TOFU)", which is a colloquial name for noting
the identity of people who are not verified so that we can notify the user if it
changes. (This is a kind of "light" form of verification where we assume that
the first identity we can see is trusted.)

⚠️ Avoid confusing verification of people with verification of devices: the
mechanism is similar but the purpose is different. Devices must be verified to
make them secure, but people can optionally be verified to ensure no-one is
listening in or tampering with communications.

⚠️ Avoid talking about "mismatch" or "verification mismatch" which is very
jargony - it is the identity which is mismatched, not the verification process.
Just say "Bob's verified identity has changed".

⚠️ Avoid talking about "cryptographic identity" which is very jargony. Just call
it "identity" where possible - i.e. the non-technical dictionary definition of
identity such that someone is who they claim they are, not someone else. The
fact we confirm identity cryptographically is irrelevant to the user;
cryptography should be invisible.

### Identity

A person's **identity** is proof of who they are, and, if they are verified,
proof that you have a secure communication channel with them.

> "Warning: Alice's identity appears to have changed" (when a non-verified
> person resets their recovery key)

> "WARNING: Bob's verified identity has changed!" (when a verified person resets
> their recovery key)

(During login, at the "Confirm it's you" stage):

> "If you don't have any other device and you have lost your recovery key, you
> can create a new identity. (Warning: you will lose access to your old
> messages!)" button text (in red or similar): "Reset my identity"

⚠️ Avoid saying "master key" - this is an implementation detail.

⚠️ Avoid saying "reset their encryption" - the reason that Alice's identity
changes could be due to attack rather than because they reset their encryption
(plus "encryption" is jargony).

### Message key

A **message key** is used to decrypt a message. The metaphor is that messages
are "locked in a box" by encrypting them, and "unlocked" by decrypting them.

> "Store message keys on the server."

> "This message could not be decrypted because its key is missing."

⚠️ Avoid saying "key" without a previous word saying what type of key it is.

⚠️ Avoid using "room key". These keys are used to decrypt messages, not rooms.

Note: this clashes with the term "message key" in the double ratchet. Since the
double ratchet algorithm is for a very different audience, we think that this is
not a problem.

### Message history

Your **message history** is a record of every message you have received or sent,
and is particularly used to describe messages that are stored on the server
rather than your device(s)

### Key storage

**Key storage** means keeping cryptographic information on the server. This
includes the user's cryptographic identity, and/or the message keys needed to
decrypt messages.

If a user loses their recovery key, they may **reset** their key storage. Unless
they have old devices, they will not be able to access old encrypted messages
because the message keys are stored in key storage, and their cryptographic
identity will change, because it too is stored in key storage.

> "Allow key storage"

> "Key storage holds your cryptographic identity on the server along with the
> keys that allow you to read your message history."

> "Message history is unavailable because key storage is disabled."

⚠️ Avoid distinguishing between "secret storage" and "key backup" - these are
both part of key storage.

⚠️ Avoid talking about more keys: "the backup key is stored in the secret
storage, and this allows us to decrypt the messages keys from key backup".
Instead, we simply say that both cryptographic identity and message keys are
stored in key storage.

⚠️ Avoid using "key backup" to talk about storing message keys: keeping things on
the server is not a "backup", but a reliable, cross-device place where this
information is stored. The word "backup" implies a redundant way to recover lost
information, but if the user loses their recovery key, this information is lost.
Clients and servers may wish to offer additional backup services that provide
true redundancy and disaster recovery, but key storage is not this.

⚠️ Avoid "4S" or "quad-S" - these are not descriptive terms.

⚠️ Avoid "private key" - this is an implementation detail and a term with
specific meaning from cryptography.

### Recovery key (and recovery passphrase)

A **recovery key** is a way of regaining access to key storage if the user loses
all their devices. Using key storage, they can preserve their cryptographic
identity (meaning other people don't see "Alice's identity appears to have
changed" messages), and also read old messages using the stored message keys.

A **recovery passphrase** is an easier-to-remember way of accessing the recovery
key and has the same purpose as the recovery key.

> "Write down your recovery key in a safe place"

> "If you lose access to your devices and your recovery key, you will need to
> reset your key storage, which will create a new identity"

> "If you lose your recovery key you can generate a new one if you are signed in
> elsewhere"

⚠️ Avoid using "security key", "security code", "recovery code", "master key". A
recovery key allows "unlocking" the key storage, which is a "box" that is on the
server, containing your cryptographic identity and message keys. It is used to
recover the situation if you lose access to your devices. None of these other
terms express this concept so clearly.

⚠️ Remember that users may have historically been trained to refer to these
concepts as "security key" or "security passphrase", and so user interfaces
should provide a way for users to be educated on the terminology change (e.g. a
tooltip or help link): e.g. "Your recovery key may also have been referred to as
a security key in the past"

## Potential issues

Lots of existing clients use a whole variety of different terminology, and many
users are familiar with different terms. Nevertheless we believe that working
together to agree on a common language is the only way to address this issue
over time.

## Further work

Several other concepts might benefit from similar treatment. Within
cryptography, "device dehydration" is a prime candidate. Outside cryptography,
many other terms could be agreed, including "export chat" (particularly in
contrast to "export message keys").

## Security considerations

In order for good security practices to work, users need to understand the
implications of their actions, so this MSC should be reviewed by security
experts to ensure it is not misleading.

## Dependencies

None

## Credits

Written by Andy Balaam, Aaron Thornburgh and Patrick Maier as part of our work
for Element. Richard van der Hoff, Matthew Hodgson and Denis Kasak contributed
many improvements before the first draft was published.