From 979e7dcf79a3fdb01424ca42432a53fc6766bc94 Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Tue, 15 May 2018 13:49:11 +0200
Subject: [PATCH] lock keys for verified contacts and groups

---
 source/new.rst | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/source/new.rst b/source/new.rst
index ca98b89..64772b9 100644
--- a/source/new.rst
+++ b/source/new.rst
@@ -253,6 +253,28 @@ Notes on the verified group protocol
   could possibly offer the techniques described here for "secure threads".
 
 
+Autocrypt and verified key state
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Verified key material
+- whether from verified contacts or verified groups -
+provides stronger security guarantees
+then keys discovered in Autocrypt headers.
+
+Therefore the address key mappings should be stored separately
+and used over Autocrypt keys in case of conflicts.
+
+This way verified contacts and groups prevent key injection through
+Autocrypt headers.
+
+In order to allow users to recover from device loss
+the recommendation is to perform new verifications.
+
+Since this may not always be feasible
+clients should provide the users with a way
+to actively move back to an unverified state.
+
+
 Open Questions about reusing verifications for new groups
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~