MSC4347: Emoji verification images #4347
+159
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,159 @@ | ||
| # MSC4347: Emoji verification images | ||
|
|
||
| I propose supplying exact images to be used within emoji verification, to avoid | ||
| confusion for users where clients use different emoji fonts. | ||
|
|
||
| ## Motivation | ||
|
|
||
| During device or user verification, if the [emoji method of SAS | ||
| verification](https://spec.matrix.org/v1.15/client-server-api/#sas-method-emoji) | ||
| is used, users are asked to compare two lists of emoji characters across two | ||
| devices. | ||
|
|
||
| Clients present these emoji to the user with a message like "Confirm that the | ||
| emojis below match those shown on your other session". | ||
|
|
||
| The spec provides words to describe each character in various languages, and | ||
| also a Unicode code point for each character. Different devices and applications | ||
| render these characters differently, based on the fonts they have available. | ||
|
|
||
| This causes confusion: especially for a user who has never seen this before, it | ||
| is not clear what exactly is being asked. (For all they know the list of symbols | ||
| is always the same and the important point is whether the font/rendering styles | ||
| are identical!) | ||
|
|
||
| I suggest that a standard set of images and a standard layout to display them | ||
| will help users make a quick and confident judgement of whether they are the | ||
| same or different. | ||
|
|
||
| ## Proposal | ||
|
|
||
| I propose providing a fixed set of images to use for emoji verification, and | ||
| recommending a fixed layout for display on screen. | ||
|
|
||
| ### Changes to the emoji table | ||
|
|
||
| Currently the spec provides Unicode code points of emoji for each | ||
| number 0-63 along with translated names. It also provides this information as | ||
| JSON at a well-known URL | ||
| (`https://github.com/matrix-org/matrix-spec/blob/main/data-definitions/sas-emoji.json`). | ||
|
|
||
| The table within the spec and the JSON file would be adjusted to add links to | ||
| URLs like: | ||
|
|
||
| `https://github.com/matrix-org/matrix-spec/blob/main/data-definitions/sas-emoji/00.svg` | ||
|
|
||
| ... | ||
|
|
||
| `https://github.com/matrix-org/matrix-spec/blob/main/data-definitions/sas-emoji/63.svg` | ||
|
|
||
| And the spec would supply images at these URLs. | ||
|
|
||
| I propose including both SVG and PNG format images, so `sas-emoji.json` would | ||
| contain entries like this: | ||
|
|
||
| ``` | ||
| { | ||
| "number": 4, | ||
| "emoji": "🦄", | ||
| "svg": "https://github.com/matrix-org/matrix-spec/blob/main/data-definitions/sas-emoji/04.svg", | ||
| "png": "https://github.com/matrix-org/matrix-spec/blob/main/data-definitions/sas-emoji/04.png" | ||
| "description": "Unicorn", | ||
| "unicode": "U+1F984", | ||
| "translated_descriptions": { | ||
| "ar": "حصان وحيد القرن", | ||
| "bg": "Еднорог", | ||
| "ca": "Unicorn", | ||
| ... | ||
| } | ||
| }, | ||
| ``` | ||
|
|
||
| ### Changes to the spec wording | ||
|
|
||
| I propose updating the wording of the spec to say graphical clients SHOULD | ||
| include copies of these images in their distributions and display them instead | ||
| of the corresponding Unicode code points rendered using a font. They can choose | ||
| freely whether to use SVG or PNG images, but prefer SVG if both are possible. | ||
|
|
||
| I also propose that graphical clients SHOULD display these images in two rows, | ||
| centred vertically, with 4 images on the first row and 3 images on the second, | ||
| with the local translation of the corresponding word below each image. | ||
|
|
||
| ### Non-graphical clients | ||
|
|
||
| Non-graphical clients or other clients that are unable to use the supplied | ||
| images may continue to use Unicode code points as before. | ||
|
|
||
| ### Sourcing the images | ||
|
|
||
| I propose taking a snapshot of the relevant images from | ||
| [twemoji](https://github.com/twitter/twemoji) at the time of incorporating this proposal | ||
| into the spec, and freezing the set of images at that time. (Until/unless some | ||
| other MSC requires them to be changed.) | ||
|
|
||
| These images are attractive and clear. | ||
|
|
||
| These images are provided under the CC BY 4.0 license so may be used with | ||
| proper attribution, which should be added to the spec text and client | ||
| applications. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| * If existing clients use Unicode characters to aid accessibility (e.g. for | ||
| blind users), the use of an image might reduce accessibility. However, the | ||
| already-provided word forms of the emoji are intended to give clients an easy | ||
| way of exposing an accessible interface for the verification process, and | ||
| nothing about this proposal changes that. Clients may also use the standard | ||
| accessibility mechanisms for their platform (e.g. the `alt` or `aria-label` | ||
| properties in HTML) to supply the Unicode characters. | ||
|
|
||
| * The visual style of the twemoji emojis may not fit well with some client | ||
| applications. I consider this aesthetic disruption worth it if it makes the | ||
| verification process easier to use. | ||
|
|
||
| * Some client developers may be concerned at the legal ramifications of | ||
| incorporating CC-licensed artwork into their applications, but my | ||
| understanding of twemoji's license (CC BY 4.0) is that this is allowed for | ||
| applications distributed under any license, so long as they comply with the | ||
| attribution requirement. The | ||
| [README](https://github.com/twitter/twemoji#attribution-requirements) file for | ||
| twemoji lists multiple very easy ways of giving attribution that should be | ||
| possible for any client application. Of course, I am not a lawyer so the | ||
| foundation would need to satisfy itself as to the situation. Client developers | ||
| who really felt unable to adopt the images could continue to display emoji | ||
| using Unicode code points. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| * We could miss out the image URLs in `sas-emoji.json` and expect client | ||
| developers to figure out the correct URLs based on the pattern, but providing | ||
| explicit URLs avoids potential problems with misinterpretations, and provides | ||
| some future-proofing against URL changes in the future. | ||
|
|
||
| * We could choose either SVG or PNG images and not supply both. This would | ||
| further improve consistency, but might make life difficult for client | ||
| developers who are not able to render certain image types. | ||
|
|
||
| * We could use a different emoji set for the images, for example: | ||
|
|
||
| * [Emojitwo](https://emojitwo.github.io) | ||
| * [noto-emoji](https://github.com/googlefonts/noto-emoji) | ||
|
|
||
| but twemoji is already in widespread use in Matrix clients, so seems the | ||
| least disruptive alternative. | ||
|
There was a problem hiding this comment. Does anyone other than Element even use twemoji? It's been dead for years For reference, Beeper is standardizing on Noto color emoji for verification and some other areas There was a problem hiding this comment. @ara4n as the person who wanted to mandate twemoji in matrix-org/matrix-spec#13, any insights here? There was a problem hiding this comment. While the main twemojj repo is dead, jacked’s fork is still active, and used by Discord iirc There was a problem hiding this comment. Since the proposal is to fix on a static set of images, the fact that the source is dead is not very relevant. It would be nice to choose a set of images that is clear, attractive and suitably licensed. |
||
|
|
||
| ## Security considerations | ||
|
|
||
| This proposal is intended to improve security by making it easier for users to | ||
| perform verification. | ||
|
|
||
| If implemented correctly within clients, I can't see any security risks. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| None required. | ||
|
|
||
| ## Dependencies | ||
|
|
||
| None. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The element clients already use twemoji (with the exception of EXI (element-hq/element-x-ios#2242)), so maybe there is nothing to do here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it'd still be nice to check the "can in fact pull images from a JSON file" box if we can, I think. Especially to understand if client teams expect the spec to be the CDN for those images, or if they'll cache them locally (if they cache them locally, we may want to inline the images rather than URL them)