@@ -103,3 +103,77 @@ will be released, and the WebSocket connection will be dropped.
103103
104104Now the client connection is fully set up, and the application specific messages
105105(those with numeric phases) may be exchanged.
106+
107+ ## Wormhole Seeds
108+
109+ Once two clients ever connected to each other, they now have a shared secret.
110+ This can be used to establish a new Wormhole connection without involving human
111+ entering codes. If A says "I want to connect to B" and B does the same they'll
112+ find each other and get a secure connection. Some additional data needs to be
113+ exchanged and stored in order to allow for a good user experience.
114+
115+ Support for session resumption is declared using the
116+ ` seeds-v1 ` ability during the ` versions ` phase. Additionally, a ` seeds `
117+ key must be added to the versions message that roughly looks like this:
118+
119+ ``` json
120+ {
121+ "abilities" : [ " seeds-v1"
122+ "app_versions" : {},
123+ "seeds" : {
124+ "display_names" : [<string> ],
125+ "known_seeds" : [<string> ],
126+ },
127+ }
128+ ```
129+
130+ A client may choose a list of ` display_names ` in order to be recognizable. Note
131+ that client names may be arbitrary, collide with other sessions or change over
132+ time. Any valid UTF-8 string may be used as name, except for the following
133+ characters: ` ' ` , ` " ` and ` , ` .
134+
135+ It is up to the clients to keep track of such a mapping and keep it up to
136+ date, if they want to. It is also up to the clients to name themselves.
137+ We recommend giving at least two values: one with the user's
138+ name and one that also disambiguate multiple devices the user may have (now or in
139+ the future). The list must be sorted in decreasing order of preference.
140+
141+ A seed is derived from the shared session key like this:
142+
143+ ``` python
144+ # `derive(key, purpose)` is the usual key derivation function
145+ seed = hex (derive(session_key, " wormhole:seed"
146+ ```
147+
148+ The ` seed ` is the main shared secret between the peers and all other data will
149+ be derived from it:
150+
151+ ``` python
152+ password = hex (derive(seed, " wormhole:seed:password"
153+ nameplate = hex (derive(seed, " wormhole:seed:nameplate"
154+ ```
155+
156+ To "grow" a seed (resume a connection), both sides connect to the rendezvous server
157+ using ` ${nameplate}-${password} ` as code. The code is entered automatically without
158+ user interaction. Setting the ` seeds-v1 ` ability in the ` versions ` phase is not
159+ required anymore.
160+
161+ On normal connections where both sides support the seeds ability, clients may
162+ wish to know whether they already share a seed in common with the peer. For this,
163+ they may specify all their known seeds into the ` known_seeds ` list, but hashed
164+ with a key derivation function using the raw (i.e. not hex-encoded) session ID
165+ as purpose. By simple set intersection, they will then find out the seeds they
166+ have in common (provided that both sides act faithfully). The process is equivalent
167+ to a simple * private set intersection* protocol, meaning that as long as the
168+ session ID is unique no sensitive contact graph information will be leaked.
169+
170+ ### Client implementation notes
171+
172+ - Clients should notify the user about the display names feature, or even provide
173+ opt-in. For some people, user name or device name are sensitive information.
174+ - It is up to the clients if they want to make pairings explicit or automatic.
175+ - Seeds only work if both sides store the seed. A seed only stored on one side
176+ will not function. Clients must deal with this scenario.
177+ - An expiration time of 12 months for explicitly stored seeds is recommended.
178+ Automatically stored seeds (e.g. for session resumption) should be expire after
179+ 1-14 days, depending on the use case.
0 commit comments