Expand description
RFC-001 Security §T16 — per-peer block-list (rogue / compromised org admin containment).
ORG_VERIFIED lets an org admin vouch a peer into every org-mate’s inbox
with no per-receiver gate (and, under Option-A auto-pair, no operator tap).
T16’s mitigation is a local kill switch: wire block-peer <did> removes
a single peer from this receiver’s locally-effective roster without leaving
the org. A blocked DID can never be org-auto-pinned or surface an
org-notify prompt; the inbound pair attempt is dropped silently (no
fingerprintable response).
Scope of a block is a DID prefix-free exact match on whichever DID the operator names:
- block a session DID (
did:wire:<handle>-<8hex>) → mutes that one session; - block an operator DID (
did:wire:op:<handle>-<32hex>) → mutes every session that carries thatop_did(the T16 intent: cut off the single adversary the rogue admin injected, across all their sessions).
Fail-safe. A missing file loads as the empty block-list (nothing
blocked — the common case). A malformed file also loads empty but logs a
warning: a corrupt block-list must not wedge the daemon, and erring toward
“not blocked” matches the rest of wire’s trust surface (block-list is
defense-in-depth on top of the per-org opt-in, never the only gate). The
block decision is consulted at the org-easing path only; bilateral SAS
(VERIFIED) is an explicit operator gesture that is out of scope here — if
you SAS-pair a peer you blocked, that deliberate act wins (see
wire block-peer --help).
Structs§
- Block
Entry - One block-list entry: when it was added + an optional operator note.
- Blocklist
- File-backed per-peer block-list. Maps a DID → entry. Absence = not blocked.