top | item 20321820

(no title)

Allowing a user to make themselves discoverable is fine. The real question is why was "vector.im" used and not "matrix.org", or the user simply prompted? And why is that data queryable without any kind of authentication?

Also, the Identity servers are part of a closed cluster where data is replicated. We are aware of vector.im and matrix.org but you did not answer the following question of the research document: is there other servers in that closed cluster? If yes, which?

discuss

Arathorn|6 years ago

vector.im is the default for Riot because branding for validation emails is done by the identity server, and Riot users expect to see Riot branded mails, whereas the matrix.org IS sends generic Matrix branded mails. The user will now get prompted explicitly to confirm their IS as part of the GDPR flow.

IS lookups are shortly going to require auth, as per the OP (even if just to check whether the API user has agreed to the server’s T&Cs)

There are no other servers in the cluster.