I read the white paper and it gave me a lot of usefull informations.
I still have a question about the creation of the "Recovery Group" ("RG" in the reste of the topic) keyset.
The white paper say that the 1password server is "zero knowledge", there is no data unencrypted on it (except some users informations like email, public key, etc...).
That would mean that the private key of the security group is unknown by the server, and have to be created and encrypted on the client side, right ?
When and how is this keyset created and encrypted ?
I think of something like :
1. When the organizer of the family acount creat the acount, the "RG" keyset in generated on his local client, as his own keyset.
2. The private key of the "RG" is localy encrypted with the public key of the organizer.
3. This "RG" encypted private key his send to the server, with the public key.
This would mean that the process of adding someone (Bob) in the "RG" would be somethink like :
1. The organizer local client use his private key to localy uncrypt the RG private key's.
2. The client then encrypt the RG private key with Bob public key's.
3. The client send the encrypted RG private key to the server.
Am I right ?
If yes, is it the same process when creating a new family account and upgrading from a personnal account to a family one (in the second case, the organizer already existe, so does the RG keyset already where existing but not used ? Or it will be created when changing the account to family one ?)
And second question :
How is the RG linked to the family account ?
How to be sure that there is not a "fake" RG linked to my account (bug or hack) and reciving the cipher key of every single vault of the family acount ?
Waiting to read you,
1Password Version: 7.6.785
Extension Version: 184.108.40.206
OS Version: Windows 10
Sync Type: 1password