Specify history sharing by richvdh · Pull Request #2399 · matrix-org/matrix-spec

richvdh · 2026-06-15T14:45:14Z

Spec for MSC4268.

~~Based on #2398.~~

Pull Request Checklist

Pull request includes a changelog file
Pull request includes a sign off
Pull request is classified as 'other changes'

Preview: https://pr2399--matrix-spec-previews.netlify.app

... instead of the ad-hoc table we have currently.

Co-authored-by: Kévin Commaille <76261501+zecakeh@users.noreply.github.com>

... so that we can reuse it in key bundles

Johennes · 2026-06-16T06:57:07Z

+1. Alice SHOULD ensure that she has downloaded all keys relevant to the room
+   from [server-side key backup](#server-side-key-backups), if she is using it.


I'm wondering if we should rephrase this section so that the requirements and actions are worded with respect to Alice's client rather than herself? The section below about Bob does it this way and it feels a little cleaner to me, if a bit more wordy.

yup, agreed.

Johennes · 2026-06-16T06:58:41Z

+may be shared with future room members in this way.
+
+Recipients SHOULD keep a record of the `shared_history` flag for each
+encryption session. The state of the flag is also saved in the


Likely a stupid question but why do we RECOMMEND keeping a local record here?

Not a stupid question.

I dunno really. I try to reserve MUST for circumstances where the protocol's going to stop working if implementations don't do it, as opposed to where the user's going to get a poor experience (if you want to make a client that gives your user a crappy experience, that's on you). It gets more complicated when we're talking about giving other users a poor experience, as in this case, but still I don't feel like it crosses the line into needing a MUST. Hard to justify objectively though.

Johennes · 2026-06-16T07:01:29Z

+   received a copy of the decryption keys for the session, is seen to leave the
+   room.
+
+   {{% changed-in v="1.19" %}} Since any user that received an invite to the


Should this not also list the new requirement to rotate the session when history visibility changes?

Johennes · 2026-06-16T07:06:01Z

+   containing the sessions she is aware of in the room. Alice SHOULD include
+   only [shareable encryption sessions](#shareable-encryption-sessions) in the
+   `room_keys` section of the structure; other sessions should be listed un the
+   with `withheld` section.


I probably missed it when scanning the MSC but I was surprised that this is a SHOULD. Does that not undermine the shared_history setting and allow for sharing keys that should be deemed unshareable?

yup, good point. Let's change this.

Co-authored-by: Johannes Marbach <n0-0ne+github@mailbox.org>

richvdh

@Johennes thanks for the review; I think I have addressed all your comments.

richvdh · 2026-06-17T17:37:02Z

+may be shared with future room members in this way.
+
+Recipients SHOULD keep a record of the `shared_history` flag for each
+encryption session. The state of the flag is also saved in the


Not a stupid question.

I dunno really. I try to reserve MUST for circumstances where the protocol's going to stop working if implementations don't do it, as opposed to where the user's going to get a poor experience (if you want to make a client that gives your user a crappy experience, that's on you). It gets more complicated when we're talking about giving other users a poor experience, as in this case, but still I don't feel like it crosses the line into needing a MUST. Hard to justify objectively though.

richvdh · 2026-06-17T17:40:46Z

+1. Alice SHOULD ensure that she has downloaded all keys relevant to the room
+   from [server-side key backup](#server-side-key-backups), if she is using it.


yup, agreed.

richvdh · 2026-06-17T17:40:49Z

+   containing the sessions she is aware of in the room. Alice SHOULD include
+   only [shareable encryption sessions](#shareable-encryption-sessions) in the
+   `room_keys` section of the structure; other sessions should be listed un the
+   with `withheld` section.


yup, good point. Let's change this.

richvdh · 2026-06-17T17:41:03Z

+   received a copy of the decryption keys for the session, is seen to leave the
+   room.
+
+   {{% changed-in v="1.19" %}} Since any user that received an invite to the


richvdh and others added 7 commits June 12, 2026 15:42

Use OpenAPI definition for EncryptedFile.

ef50dec

... instead of the ad-hoc table we have currently.

Links to EncryptedFile

5152797

Add changelogs

7fff7a7

Apply suggestions from code review

538671d

Co-authored-by: Kévin Commaille <76261501+zecakeh@users.noreply.github.com>

Custom format for url-safe unpadded base64

e3f6bc4

Move m.room_key.withheld content to a spearate file

f48bf2e

... so that we can reuse it in key bundles

Basic spec for history sharing

1efc062

richvdh requested a review from a team as a code owner June 15, 2026 14:45

richvdh added 3 commits June 15, 2026 15:47

Add shared_history flag to data structures

272ce4c

Notes on rotating sessions

3635463

changelog

e81ffe1

richvdh force-pushed the rav/history_sharing branch from d2329c3 to e81ffe1 Compare June 15, 2026 14:47

richvdh mentioned this pull request Jun 15, 2026

MSC4268: Sharing room keys for past messages matrix-org/matrix-spec-proposals#4268

Merged

turt2live added the release-blocker Blocks the next release from happening label Jun 15, 2026