ATT is used in conjunction with &xep0384; for automatically establishing secure channels protected against active attacks between a new device and existing ones after a single mutual manual authentication between the new device and one of the existing ones.
A trusted third party is not required since an ordinary OMEMO message is used for transferring the information needed to authenticate a public identity key or revoke the trust in that key.
Additionally, it preserves the anonymity of the authentication and revocation since those messages are only sent to devices with authenticated public identity keys.
End-to-end encryption without verifying the authenticity of the exchanged public identity keys only enables users to protect their communication against passive attacks.
This means an attacker cannot read encrypted messages in transit without actively intervening in the key exchange.
However, without any other precautions active attacks are still possible.
If an attacker replaces the exchanged keys with malicious ones, the end-to-end encrypted messages can be read and manipulated by the attacker.
That key has to be authenticated by the receiving device over a channel which is protected against active attacks to maintain the confidentiality of sent OMEMO messages and ensuring the authenticity and integrity of received OMEMO messages.
When using OMEMO, each device has a unique identity key.
For that reason it is not necessary to copy an existing private identity key to a new device enabling it to use end-to-end encryption.
Additionally, it can be used to stop encrypting for a specific device.
For example, that could be done automatically after a given number of sent messages without any reaction from the receiving device that would forward the double ratchet to ensure forward and backward secrecy.
</p>
<p>
However, the downside of that approach is that it increases the number of key authentications users need to do for each new device to be protected against active attacks.
Without ATT all n-1 mutual authentications per new key have to be done manually.
With ATT though, only one mutual manual authentication per new key is required.
A trust message for a device's key sent to another device is a trust message that contains the key identifer of the given key for authentication or revocation.
Trust message which only contains key identifiers for authentication.
If a trust message contains authentication and revocation parts, the term authentication message is used for referring to the trust message without revocation parts.
</dd>
</di>
<di>
<dt>Revocation message</dt>
<dd>
Trust message which only contains key identifiers for revocation.
If a trust message contains authentication and revocation parts, the term revocation message is used for referring to the trust message without authentication parts.
The network of devices which authenticated each other's keys can be seen as a complete graph where each device is a node and each mutual authentication is an edge.
This is due to the fact that in order to sustain secure channels between all devices, a new key has to be authenticated by all n existing devices and vice versa.
The remaining authentications can be automated relying on the secure channel established by the inital mutual manual authentication and the secure channels already created by the same procedure between the rest of the devices.
</p>
<p>
For creating the described complete graph with n nodes, a total of T(n) = (n*(n-1))/2 ∊ O(n²) mutual authentications are needed.
When using ATT, only T(n) = n-1 ∊ O(n) of them have to be made manually.
All remaining authentications can be performed automatically.
Thus, less user interaction is needed for authenticating all keys involved in the secure communication while preserving the same security level.
Device 1 automatically sends an authentication message for device 2's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 2.
Device 2 automatically sends an authentication message for device 1's key to devices whose keys it has already authenticated and another authentication message for the keys of those devices to device 1.
Device 1 automatically authenticates the keys of the authentication message from device 2.
Each device receiving an authentication message from device 1 automatically authenticates device 2's key, if device 1's key has already been authenticated by it.
Each device receiving an authentication message from device 2 automatically authenticates the corresponding keys, if device 2's key has been authenticated by it.
</p>
</li>
<li>
<p>
Device 2 automatically authenticates the keys of the authentication message from device 1.
Each device receiving an authentication message from device 2 automatically authenticates device 1's key, if device 2's key has already been authenticated by it.
Each device receiving an authentication message from device 1 automatically authenticates the corresponding keys, if device 1's key has been authenticated by it.
Device 1 manually revokes the trust in the key of device 2.
Device 1 automatically sends a revocation message for device 2's key to devices whose keys it has already authenticated.
Each device receiving a revocation message from device 1 automatically revokes the trust in device 2's key, if device 1's key has already been authenticated by it.
A trust message contains an <cite>XMPP URI</cite> (see &xep0147;) defined by the following scheme:
</p>
<examplecaption='Scheme of a Trust Message URI'><![CDATA[xmpp:<bare-jid>?omemo-trust;<auth|revoke>=<key-identifier-1>;<auth|revoke>=<key-identifier-2>;<...>;<auth|revoke>=<key-identifier-n>]]></example>
<examplecaption='Example of a Trust Message URI'><![CDATA[xmpp:user@example.org?omemo-trust;auth=623548d3835c6d33ef5cb680f7944ef381cf712bf23a0119dabe5c4f252cd02f;auth=d9f849b6b828309c5f2c8df4f38fd891887da5aaa24a22c50d52f69b4a80817e;revoke=b423f5088de9a924d51b31581723d850c7cc67d0a4fe6b267c3d301ff56d2413]]></example>
A device that receives an authentication message for a key of an own device from another own device MUST authenticate the key as soon as the receiving device authenticated the key of the device which sent the authentication message.
<section2topic='Revoking the Trust in a Key'anchor='usecases-revocation'>
<p>
A client MAY send a revocation message for a key that is not trusted anymore by the sending client so that key will no longer be trusted by the receiving client.
A client receiving a revocation message SHOULD revoke the trust in the corresponding key.
</p>
<p>
// TODO Further discussion has to take place before finalizing this section.
<section2topic='Storing Trust Message Information from Devices with Unauthenticated Keys'anchor='impl-storing-trust-message-information-unauthenticated-keys'>
<p>
A client MUST save the information of a trust message until the key of the device which sent the trust message is authenticated, so that the key can then be authenticated or revoked.
Afterwards the information of the trust message MAY be deleted.
</p>
<p>
Example:
When Alice's device A1 authenticates the key of Bob's device B1, A1 sends a trust message containing the keys of Alice's other device A2 to B1.
If B1 has not already authenticated A1's key, B1 stores the information provided by the trust message.
B1 authenticates A1's key and is then able to automatically authenticate A2's key.
</p>
</section2>
<section2topic='Storing Trust Message Information for Unknown Keys'anchor='impl-storing-trust-message-information-unknown-keys'>
<p>
A client MUST save the information of a trust message until it has fetched the corresponding key so that the key can then be authenticated or revoked.
Afterwards the information of the trust message can be deleted.
</p>
<p>
Example:
Alice's device A1 receives an authentication message from Bob's device B1.
That authentication message contains the key for Bob's other device B2.
If A1 has not already fetched B2's key, A1 stores the information provided by the trust message.
A1 fetches B2's key and is then able to automatically authenticate A2's key.
For reducing the number of trust messages sent to a device, a client MAY use a URI containing multiple keys that have been authenticated shortly after another.
</p>
<p>
Example:
Alice's device A1 authenticates the keys of Bob's devices B1 and B2 after scanning Bob's QR code containing their key identifiers.
A1 sends one authentication message for all of the authenticated keys.
Furthermore, a client MAY use &xep0280; for sending a trust message to all devices of a contact or to all own devices at once.
Then, by sending a trust message to the contact, each device of the contact and each own device gets the same trust message by the server.
Thus, a client needs to send the same trust message only once.
If not all devices of the contact should receive the trust message, the trust message MAY be sent to specific devices of the contact but for all own devices Message Carbons MAY be used and vice versa.
Even when a client does not already have a contact, the client MAY use Message Carbons for delivering a trust message to all own devices.
</p>
<p>
Example:
Alice's device A1 authenticates the key of her device A2.
A1 sends the trust message for A2's key only once to all of Alice's and Bob's devices by using Message Carbons.
</p>
<p>
Attention:
In that context, sending a trust message to all devices of a contact or to all own devices does not mean to encrypt it with the keys of all those devices.
Instead, it only means that all of those devices should receive the trust message even if it is not encrypted for some of them and thereby not decryptable by those devices.
Keep in mind that a trust message MUST only be encrypted for devices with authenticated keys.
</p>
<p>
The drawback of using Message Carbons is that clients may show a message to the user that an OMEMO message received which has not been encrypted for the corresponding device.
It is more secure to be protected against passive attacks instead of not using any encryption.
If it is not possible to authenticate a key before encrypting with it but it is desired to communicate with the key's device, it is RECOMMENDED to blindly trust new keys until the first authentication has been made.
</p>
<p>
Even ATT cannot protect the user against an attacker with a blindly trusted and undetected malicious key.
For this reason it is important to take special care of the following security aspects.
</p>
<p>
If keys are blindly trusted until the first authentication, keys which are not authenticated by then MUST NOT be used any longer for encryption until they have been authenticated too.
New keys MUST also only be used for encryption after they have been authenticated.
Without these two additional precautions it is not possible to protect the user against attackers who introduced malicious keys before or after the first authentication.
