4S Secrets should be sent as part of the device verification exchange, not afterwards

[richvdh]

Suppose a user has two devices, A and B. A is already verified and has access to the 4S secrets (private cross-signing keys, backup decryption key, etc).

Currently, if you perform an interactive verification between the devices, then once verification is complete, B must request the secrets from A, and wait for A to send them. This is problematic because the verification process isn't really "complete" until those secrets have been received, yet we may have to wait an unbounded amount of time for them to arrive.

(B must also wait for A's cross-signature to propagate: again this can take an unbounded amount of time.)

It would be much more robust if:

• B indicated which secrets it expects early in the verification exchange (possibly even indicating the public keys), so that we can warn the user early on if some secrets are going to be missing
• A sent the secrets within the verification exchange itself (part of the done message?)

[richvdh]

@BillCarsonFr started an MSC in this direction: https://hackmd.io/@ktO1wyrVSni2M6FoFrnW7Q/S1y5rtD_yg

There is also prior art in MSC4108

[richvdh]

It's worth noting that, as a device receiving an m.key.verification.request event, we don't even know whether the sending device (a) is a new device, hoping to become cross-signed and gain access to the 4S secrets, or (b) is an existing device which is offering to cross-sign the new one. Obviously, this should be fixed by the same changes.