Wednesday, May 30, 2018
council@muc.xmpp.org
May
Mon Tue Wed Thu Fri Sat Sun
  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
             
XMPP Council Room | https://xmpp.org/about/xmpp-standards-foundation#council | Room logs: http://logs.xmpp.org/council/ | https://trello.com/b/ww7zWMlI/xmpp-council-agenda

[00:10:41] *** moparisthebest has joined the room
[01:12:24] *** Lance has joined the room
[03:11:40] *** Dave has left the room
[03:13:03] *** Dave shows as "online"
[04:35:22] *** moparisthebest has left the room
[04:58:21] *** Tobias has left the room
[04:58:22] *** Tobias has joined the room
[05:08:39] *** Zash has joined the room
[05:38:03] *** daniel shows as "online"
[05:41:52] *** jonasw shows as "online"
[05:58:53] *** Dave has left the room
[06:01:34] *** Dave shows as "online"
[06:06:50] *** ralphm has left the room
[06:10:42] *** SamWhited has left the room
[06:15:41] *** Zash shows as "online"
[06:15:46] *** Zash shows as "online"
[06:16:07] *** guus.der.kinderen has left the room
[06:16:08] *** guus.der.kinderen shows as "online"
[06:16:08] *** guus.der.kinderen shows as "online"
[06:20:07] *** guus.der.kinderen has left the room
[06:30:02] *** Lance has joined the room
[06:33:50] *** guus.der.kinderen has left the room
[06:33:50] *** guus.der.kinderen has left the room
[06:33:51] *** guus.der.kinderen has joined the room
[06:33:55] *** guus.der.kinderen shows as "online"
[06:43:22] *** guus.der.kinderen has left the room
[06:43:23] *** guus.der.kinderen shows as "online"
[06:43:24] *** guus.der.kinderen shows as "online"
[06:45:29] *** Tobias has joined the room
[06:46:53] *** ralphm has joined the room
[06:47:42] *** Kev has joined the room
[06:47:43] *** Kev shows as "away"
[06:48:50] *** guus.der.kinderen has left the room
[06:49:42] *** Kev shows as "online"
[07:00:39] *** Kev shows as "away"
[07:05:35] <daniel> I want to put http upload on today's agenda. There has been some criticism on the use of normative language which I believe I have addressed now. Before that there was also some criticism on handling headers. This has also been resolved. So I would either like a vote on advancing it since it's technically still in last call or alternatively a vote on restarting last call
[07:05:53] <daniel> What ever people feel is more appropriate
[07:21:56] *** Kev has left the room
[07:23:28] *** Dave has left the room
[07:24:57] *** Dave shows as "online"
[07:25:31] *** Dave has left the room
[07:25:52] *** Dave shows as "online"
[07:26:07] *** Dave has left the room
[07:36:43] *** Dave has left the room
[07:36:44] *** Dave shows as "online"
[07:38:42] *** Kev has joined the room
[07:38:43] *** Kev shows as "online"
[07:40:13] *** Dave has left the room
[07:40:19] *** Dave shows as "online"
[07:57:01] *** Holger shows as "online" and his status message is "I'm available"
[08:02:44] *** ralphm has left the room
[08:03:29] *** pep. shows as "online"
[08:08:39] *** Dave has left the room
[08:08:40] *** Dave shows as "online"
[08:09:21] *** Dave has left the room
[08:09:25] *** Dave shows as "online"
[08:12:07] *** pep. shows as "online"
[08:20:32] *** ralphm has joined the room
[08:27:53] *** pep. has left the room
[08:27:56] *** pep. shows as "online"
[08:39:57] *** pep. has left the room
[08:40:00] *** pep. shows as "online"
[08:56:38] *** daniel has left the room
[08:56:47] *** daniel shows as "online"
[08:57:39] *** daniel shows as "online"
[09:01:22] *** Dave has left the room
[09:01:22] *** Dave shows as "online"
[09:02:06] *** Dave has left the room
[09:02:14] *** Dave shows as "online"
[09:12:21] *** pep. has left the room
[09:14:52] *** pep. shows as "online"
[09:33:27] *** pep. has left the room
[09:34:32] *** jonasw shows as "away"
[09:38:46] *** pep. shows as "online"
[09:48:38] *** Kev shows as "away"
[09:48:49] *** Kev shows as "online"
[09:55:44] *** pep. shows as "online"
[09:59:02] *** guus.der.kinderen has left the room
[09:59:07] *** guus.der.kinderen shows as "online"
[10:14:42] *** vanitasvitae shows as "online"
[10:19:27] *** moparisthebest has joined the room
[10:24:36] *** Zash has left the room
[10:30:01] *** Link Mauve shows as "online"
[10:38:42] *** Zash has left the room
[10:41:11] *** jonasw shows as "online"
[10:45:21] *** Holger shows as "online"
[10:48:25] *** jonasw shows as "away"
[10:49:18] *** Zash has joined the room
[10:58:05] *** vanitasvitae shows as "online"
[10:58:15] *** vanitasvitae has left the room
[10:58:24] *** vanitasvitae shows as "online"
[10:58:33] *** vanitasvitae has left the room
[11:02:46] *** jonasw shows as "online"
[11:04:52] *** Holger has left the room
[11:08:01] *** moparisthebest has left the room
[11:36:16] *** Kev has left the room
[11:39:40] *** Zash has left the room
[11:40:33] *** Zash has joined the room
[11:45:48] *** moparisthebest has joined the room
[11:47:03] *** moparisthebest has left the room
[11:47:09] *** moparisthebest has joined the room
[11:54:27] *** Kev has joined the room
[11:54:28] *** Kev shows as "online"
[12:05:55] *** jonasw shows as "away"
[12:07:31] *** jonasw shows as "online"
[12:10:06] *** Kev shows as "away"
[12:16:55] *** Kev shows as "online"
[12:42:47] *** Kev shows as "away"
[12:43:01] *** Kev shows as "online"
[12:50:14] *** Dave has left the room
[12:50:15] *** Dave shows as "online"
[12:51:33] *** Dave has left the room
[12:53:22] *** Dave has left the room
[12:53:23] *** Dave has joined the room
[12:55:01] *** Dave has left the room
[12:55:09] *** Dave has joined the room
[12:59:11] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[12:59:12] *** Dave has left the room
[12:59:14] *** Dave has joined the room
[13:00:32] *** Dave has left the room
[13:00:32] *** Dave has joined the room
[13:11:14] *** Dave has left the room
[13:11:15] *** Dave has joined the room
[13:11:50] *** Dave has left the room
[13:11:53] *** Dave has joined the room
[13:17:14] *** Zash shows as "online"
[13:17:19] *** Zash shows as "online"
[13:19:49] *** guus.der.kinderen has left the room
[13:20:03] *** guus.der.kinderen shows as "online"
[13:22:15] *** Zash shows as "online"
[13:23:17] *** Holger has left the room
[13:23:17] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[13:32:30] *** Zash has left the room
[13:37:02] *** Holger shows as "online" and his status message is "I'm available"
[13:37:39] *** Holger has left the room
[13:41:36] *** SamWhited has joined the room
[13:42:42] *** SamWhited shows as "online"
[13:44:30] *** Holger shows as "online" and his status message is "I'm available"
[14:00:10] *** SamWhited has left the room
[14:00:24] *** Holger shows as "online"
[14:03:13] *** sam has joined the room
[14:16:02] *** sam shows as "online"
[14:18:12] *** Holger has left the room
[14:20:47] <Kev> Pre-empting the meeting somewhat, but of TOS I'll say this in advance: It seems like an abuse of adhocs.
[14:21:13] *** Holger shows as "online"
[14:21:13] <Zash> Motivation?
[14:21:20] <Zash> Or, elaboration maybe?
[14:21:37] *** Holger shows as "online"
[14:21:52] <Kev> A normal adhoc implementation can't deal with it, you need a tos implementation, and the tos server has to reject anyone trying to adhoc it without having the "I'm not really an adhoc I'm a tos" support flag.
[14:22:04] <jonasw> Kev, I can’t defend my case at the moment, I’m at work and about to migrate to commuting, unfortunately
[14:22:18] <Kev> So if you don't want any of the features of adhocs, putting it in an adhoc seems unhelpful.
[14:22:32] <Kev> You could have all the same properties in its own namespace for simpler implementation and less confusion.
[14:22:33] <jonasw> the tos server does not have to reject everyone without the tos flag
[14:22:52] <jonasw> it MAY do that if it needs to
[14:23:36] <jonasw> but I tend to agree that we might want to drop that flag out of this version; there’s nothing in the XEP as it stands which warrants that
[14:24:24] <jonasw> and client-side, you can do fine with a normal, compliant Ad-Hoc implementation, because Ad-Hoc commands may have multiple payloads (and the form is intentionally at the place where it is so that it takes precedence on unknowing clients)
[14:25:02] <sam> I've been thinking about this one and I think I agree. I'm not sure why we need to encode TOS into protocol at all. Just having a standard way to get the text seems like enough. Eg. a standard pubsub node or HTTP location from which it can be fetched.
[14:25:07] <Kev> I'm not intending to block it going to Experimental like this, but I would object to Draft like this.
[14:25:34] *** SamWhitef has joined the room
[14:25:38] <Kev> This really feels like forcing a square adhoc into a round hole.
[14:25:41] *** SamWhited has joined the room
[14:25:48] *** sam has left the room
[14:26:00] *** SamWhited has joined the room
[14:26:05] <jonasw> Kev, as it stands (minus the "I am tos" flag in the initial request), it /does/ work as Ad-Hoc flow, doesn’t it?
[14:26:05] *** SamWhited shows as "online"
[14:27:45] <Kev> Other than the extra payload? Possibly. But that "I am TOS" flag changes things.
[14:28:17] <Kev> And that you're doing it before authentication.
[14:28:43] <Kev> When iqs don't really work properly, because you don't have a bound resource, etc.
[14:29:08] <jonasw> Kev, the extra payload is ok as per my reading of '50
[14:29:27] <jonasw> we have precedence for pre-bind IQs actually (bind itself being one)
[14:29:57] <Kev> The only one, I think, and that's generally felt to be a mistake by anyone who's had to code pre-auth flows in a server, I think.
[14:30:32] <Zash> Yes
[14:30:50] <Kev> Or pre-stream-is-running, I guess, as it's not pre-auth.
[14:31:41] <Zash> We finally got rid of that in Prosody, so the bind isn't treated as a stanza with exceptions in the "is this session allowed to send stanzas?" code
[14:31:56] <Zash> Now it's a stream element that just happens to be in the jabber:client namespace
[14:33:39] *** daniel has left the room
[14:35:36] *** Holger shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[14:35:43] *** Holger shows as "online"
[14:37:35] *** daniel shows as "online"
[14:37:58] *** jonasw shows as "away"
[14:40:09] *** Ge0rG has joined the room
[14:48:37] *** peter has joined the room
[14:49:08] *** Dave has left the room
[14:49:09] *** Dave has joined the room
[14:52:29] *** Kev shows as "away"
[14:58:41] *** peter shows as "away" and his status message is "Auto Status (idle)"
[14:59:45] *** Kev shows as "online"
[15:00:07] <Kev> 'Tis time, 'tis time.
[15:00:13] <Kev> 1) Roll call
[15:00:17] <daniel> hi
[15:01:12] *** peter shows as "online"
[15:01:13] *** Holger has left the room
[15:01:18] <Kev> SamWhited is expecting to be here. I don't remember abotu Ge0rG.
[15:01:40] <Ge0rG> I've delayed my trip home despite an empty phone battery to until after the meeting
[15:01:42] <Ge0rG> I'm here.
[15:01:56] *** SamWhited has left the room
[15:02:06] <Kev> SamWhited?
[15:02:36] <Kev> Maybe not.
[15:02:45] <Kev> 2) Isn't it nice that Tedd Sterr does the minutes?
[15:02:45] <Kev> Yes.
[15:02:54] <Kev> 3) Proposed XMPP Extension: Terms of Services

Title: Terms of Services
Abstract:
This specification provides an in-band, unauthenticated way to request
the Terms of Service of an XMPP service.

URL: https://xmpp.org/extensions/inbox/tos.html
[15:03:29] <Kev> I don't like this much, but am not blocking it.
[15:03:59] <daniel> same. but i'll give me official vote on list
[15:04:40] <Ge0rG> I think it's great to have a machine-readable way to link the ToS; not sure about the extended features
[15:05:08] <Kev> (That 'not blocking' is +1 for me, BTW, although I wouldn't expect it to go to Draft like this)
[15:05:16] <Kev> Ge0rG: What is that in terms of a position?
[15:05:27] <Ge0rG> +1
[15:05:37] <Kev> 4) Date of next
SBTSBC?
[15:05:53] <Ge0rG> Wow, that was quick.
[15:06:15] <Kev> I'll take that as a 'yes' :)
[15:06:17] <Kev> 5) AOB?
[15:06:24] <Ge0rG> I still can't guarantee my general availability for this time slot. It looks like it has mostly worked so far, so +1
[15:06:26] <SamWhited> Sorry, I am here, now I'm not getting any notifications for this room
[15:06:33] <daniel> yes i would like to continue with http upload
[15:06:37] <Kev> SamWhited: Just the one item for you to vote on.
[15:06:44] <daniel> either make another last call
[15:06:58] <daniel> or just vote on it
[15:07:04] <Kev> daniel: LCs are cheap, so shall we do that?
[15:07:08] <SamWhited> *nods* I'll be on list anyways
[15:07:19] <daniel> there is a small PR pending
[15:07:29] <Kev> ..so shall we do that after the small PR? :)
[15:07:30] <Ge0rG> I'm still not lucky about the custom headers.
[15:07:47] <Ge0rG> but my lack of luckiness won't be progress blocking
[15:08:21] <daniel> yeah why note. i was hopeing to speed things up; but why bother; it has been months anyway
[15:08:33] <daniel> so yeah i'll just bring it up next week
[15:08:35] <Kev> daniel: I think that's a reason for making a clean cut with a new LC, but can be talked out of it.
[15:08:59] <Kev> daniel: Or just ask the Editors to send an LC mail once your patch is merged?
[15:09:21] <daniel> > : daniel: Or just ask the Editors to send an LC mail once your patch is merged?
yes that was the idea
[15:09:27] <daniel> if council is ok with that
[15:09:27] <Kev> Ok, cool.
[15:09:40] <Kev> AOAOB?
[15:10:22] <daniel> none from me
[15:10:31] *Kev gangs the bavel
[15:10:32] <Kev> Thanks all.
[15:10:49] <Ge0rG> Thanks Kev, thanks all
[15:10:51] *** SamWhited shows as "online"
[15:11:00] *** vanitasvitae has left the room
[15:11:01] <Ge0rG> Thanks Tedd.
[15:11:32] <moparisthebest> so as SamWhited already said, why not just https://XMPP_DOMAIN/.well-known/xmpp-tos.txt ?
[15:11:57] <moparisthebest> certainly seems easier than hacking pre-auth support into servers and clients securely
[15:12:03] *Zash cries over mandatory records at domain apex
[15:12:27] <Ge0rG> - because not every XMPP_DOMAIN is a web server
- because you usually want more markup than .txt
[15:12:33] <moparisthebest> Zash, but which would make you cry harder
[15:12:38] <daniel> > so as SamWhited already said, why not just https://XMPP_DOMAIN/.well-known/xmpp-tos.txt ?
Uh I like that actually. But the anti oob people will *hate* that
[15:12:41] <moparisthebest> Ge0rG, like what?
[15:12:50] <moparisthebest> (more markup I mean)
[15:12:56] <Ge0rG> moparisthebest: like HTML.
[15:13:04] <daniel> Ge0rG: but the xep hosts the tos on http anyway, no?
[15:13:17] <Ge0rG> daniel: but not always on XMPP_DOMAIN
[15:13:35] <Kev> FWIW, I'm not a fan of forcing all this stuff about registration and TOS and etc. etc. over XMPP. ISTM that a lot of the time it's much better served by being out of band.
[15:13:38] <Ge0rG> So now I need to setup a dedicated web server with a 30x
[15:14:21] <moparisthebest> Ge0rG, so https://XMPP_DOMAIN/.well-known/xmpp-tos.html then?
[15:14:22] <daniel> Most good xmpp do probably. Because of websocket bosh discovery and stuff
[15:14:29] <moparisthebest> but now you gotta worry about javascript and XSS
[15:14:33] <Ge0rG> Kev: the result of that would be replacing IBR with a web form?
[15:14:43] <Kev> Ge0rG: Pretty much.
[15:14:53] <Ge0rG> Kev: which is... the current status quo?
[15:14:59] <moparisthebest> IBR is basically already replaced with a web form?
[15:15:15] <Kev> There are cases for autoregistration where inband might make sense, but mostly not for users' IM accounts, I think.
[15:15:28] <Kev> Ge0rG: More or less, I think.
[15:15:28] <Ge0rG> Because UX doesn't matter.
[15:15:36] <Zash> IBR can redirect to a web form, you can put the ToS there.
[15:15:54] <Ge0rG> Zash: can the web form than redirect back to a configured XMPP client?
[15:16:02] <Kev> I *do* think there's value in being able to provide a ToS banner of some sort at login, though.
[15:16:03] <Ge0rG> Zash: can the web form then redirect back to a configured XMPP client?
[15:16:27] <Ge0rG> Kev: "at login" is illusive in times of always on and 0198
[15:16:43] <Zash> At registration would be nicest, no?
[15:16:58] <Ge0rG> Zash: how do you change the ToS then?
[15:16:59] <Zash> Or you can send a MOTD-like message
[15:16:59] <Kev> Ge0rG: It is, kinda.
[15:17:11] <Ge0rG> MOTD is as illusive as "at login"
[15:17:11] <Kev> Zash: Yes, but if that's out of band that's SEP.
[15:17:17] <moparisthebest> or the client can just check the .well-known URL
[15:17:27] *** SamWhited has left the room
[15:17:31] <Ge0rG> moparisthebest: check it for what?
[15:17:40] <moparisthebest> whatever it wants, whenever it wants :)
[15:18:07] <Ge0rG> moparisthebest: how is it supposed to figure out whether the ToS have changed in any significant way? Whether user consent is required to the new ToS?
[15:18:29] <moparisthebest> it can't, show it to the user, done
[15:18:39] <moparisthebest> it's not like the user is going to read it anyway
[15:18:42] *** SamWhited shows as "online"
[15:18:44] <moparisthebest> but they can if they wish
[15:18:49] <pep.> Can we seriously stop requiring http every. fking. where. Re ToS
[15:19:03] <daniel> And then it's up the the admin to notify existing users via message
[15:19:04] <moparisthebest> nope, it's already done, the battle is lost
[15:19:12] <Zash> Kev, what is out of band?
[15:19:17] <moparisthebest> is it better to invent some new complicated thing to avoid using HTTP pep. ?
[15:19:18] <daniel> > Can we seriously stop requiring http every. fking. where. Re ToS
Told you
[15:19:19] <Kev> Registration.
[15:19:46] <pep.> moparisthebest: what's complicated
[15:20:14] <pep.> You ask for a document, the server gives it to you
[15:20:21] <moparisthebest> pep., use the correct tool for the job, you can invent some complicated XMPP extension to link to an HTTP URL, or you can use .well-known which is simple and already exists
[15:20:58] <Ge0rG> moparisthebest: and doesn't fulfill the required needs.
[15:20:59] <daniel> Fun side note stateless let's do everything over http jmap just introduced websocket support because apparently http is f*ing slow
[15:21:18] <Zash> ha-ha
[15:22:25] <pep.> When is the switch from TCP/XML to http/json planned for again
[15:23:16] <Zash> pep., depends on how much you wanna listen to the matrix.org ppl?
[15:23:26] <pep.> :)
[15:25:01] *** peter shows as "away" and his status message is "Auto Status (idle)"
[15:26:32] <moparisthebest> you know the saying, if all you have is a hammer, everything looks like a nail?
[15:26:41] <Zash> moparisthebest, applies in both directions
[15:26:50] <moparisthebest> xmpp isn't the only tool, sometimes http is more appropriate, no reason it shouldn't be used in those places
[15:26:52] *** Dave has left the room
[15:26:57] *** Dave has joined the room
[15:27:18] <Ge0rG> moparisthebest: please describe how you will implement mandatory consent and ToS changes with the HTTP scheme.
[15:27:28] <Zash> I don't see why we shouldn't try to enable in-band pointing to a ToS.
[15:27:50] <Kev> Zash: No, I don't think that's fine.
[15:27:52] <Zash> The pointer itself can be HTTP or whatever URI/URL you want
[15:27:57] <moparisthebest> Ge0rG, client fetches TOS before attempting to log in, refuses to log in unless user agrees?
[15:28:15] <Ge0rG> moparisthebest: how does the server know if the client actually checked that?
[15:28:28] <moparisthebest> it can't no matter what
[15:28:36] <Zash> How does Let's Encrypt know anyone actually read their terms?
[15:28:41] <moparisthebest> yep
[15:29:04] <Ge0rG> let's exclude malicious clients for a moment.
[15:29:16] <Ge0rG> How does a server know that the client actually showed the ToS to the user?
[15:29:30] <moparisthebest> excluding malicious clients then it just does
[15:29:47] <moparisthebest> it just assumes they did, it's the best you can do
[15:29:56] <Ge0rG> Uhm. No.
[15:30:08] <Zash> Kev, I don't think I can't not follow all these double negatives.
[15:30:14] <pep.> You'd need to require auth on your webpage
[15:30:15] <moparisthebest> explain how an in-band protocol is different Ge0rG ?
[15:30:22] <Ge0rG> You can't because you don't know whether the client actually supports the feature. And whether the client actually succeeded in fetching the ToS (think wifi portal=
[15:30:30] <Kev> Zash: I'm fine with a mechanism for pointing to ToS from inband. I'm not sure the current protoXEP is the right way to do it.
[15:30:45] <Ge0rG> Kev: you might want to argue your points on standards@
[15:30:46] <moparisthebest> Ge0rG, and how is that different with an in-band approach?
[15:30:51] <moparisthebest> I believe both are still true
[15:31:06] <Ge0rG> moparisthebest: https://xmpp.org/extensions/inbox/tos.html#usecase-expired-reject-bind
[15:31:09] <Kev> moparisthebest: Inband you know that the client requested it because it did so over the current stream.
[15:31:54] <Ge0rG> the inband approach also has a (theoretically) nice way to enforce tos-before-login.
[15:32:13] <Zash> Kev, I can go along with that.
[15:32:13] <Ge0rG> so it's not "we locked you out because you didn't consent in time. Good luck without us now"
[15:33:34] *Ge0rG goes OOB now. seeya
[15:34:02] <Kev> o7
[15:34:09] <moparisthebest> in both cases you have the client telling you the user agreed to the TOS
[15:34:16] <moparisthebest> and 0 guarantee any of that happened
[15:34:56] <Zash> Does it matter if "the client" is a browser or an xmpp client?
[15:35:14] *** vanitasvitae shows as "online"
[15:35:18] <moparisthebest> I don't think so?
[15:36:03] <Zash> Well then
[15:37:26] *** SamWhited has left the room
[15:38:58] *** peter shows as "online"
[15:41:27] <Zash> IIRC, in ACME, there's protocol for retrieving an pointer/URL to the terms. The client supposedly shows that to the user, then indicates acceptance by sending a hash of the terms.
[15:42:11] *** vanitasvitae has left the room
[15:42:25] *** vanitasvitae shows as "online"
[15:43:38] *** vanitasvitae has left the room
[15:46:12] <moparisthebest> yea that's not bad
[15:46:25] *** moparisthebest shows as "online"
[15:46:33] <moparisthebest> at least you know the client actually got them
[15:47:18] <Kev> It seems an odd thing to trust the client to have shown something to the user because it said it did, and can prove it fetched it, but not trust the client to have shown something to the user because you remember it fetching it, and it says it did.
[15:49:02] *** peter shows as "away" and his status message is "Auto Status (idle)"
[15:52:22] *** SamWhited shows as "online"
[15:55:22] <moparisthebest> maybe the server should just give the user a quiz about the TOS
[15:55:45] <moparisthebest> like 10 random questions from a pool of 50, and they need to get 80% correct to be able to log in
[15:55:50] <moparisthebest> thanks GDPR!
[15:56:51] *** vanitasvitae shows as "online"
[15:56:59] <Zash> But ACME is IETF-approved prior art, which is why I'm thinking that following that might be sensible.
[15:57:05] <SamWhited> You don't have to confirm that the client did the correct thing, you can't do that anyways. All you can do is confirm that the client downloaded the terms; beyond that it's on them if they don't show it to the user.
[15:57:24] <SamWhited> I seriously doubt if it matters if you confirm that the client downloaded it vs. it downloaded it and hashed it.
[15:57:54] <moparisthebest> I actually implemented that quiz thing for a forum registration back in the day, it really cut down on the number of lazy idiots registering just to ask the same dumb question over and over :)
[15:58:00] <Kev> moparisthebest: I have implemented exactly such a thing for some obscure place (not work related, and not GDPR-related)
[15:58:19] <moparisthebest> small world :)
[16:01:01] <SamWhited> (the hash matters in ACME because it makes the server stateless and means you don't have to have a cookie lying about)
[16:01:46] <Kev> I'm not sure you do anyway, do you?
[16:02:21] <Kev> Or, rather, I'm not sure that there's a useful distinction between "Client downloads terms and then lies about the user accepting them" versus "Client doesn't download terms and then lies about the user accepting them".
[16:04:01] <moparisthebest> it does rule out network errors Ge0rG mentioned earlier I guess
[16:04:02] <SamWhited> Yah, I don't think it matters either way personally, but I can see wanting to make sure you've done all you can so that the client is liable if they it never shows them to the user.
[16:04:54] <SamWhited> Making sure it's downloaded just gives servers leverage to say that it was the client acting in bad faith because they had to actively try to trick us into thinking the user accepted (I suspect, not a lawyer, etc.)
[16:05:36] <SamWhited> Or at the very least gives us more confidence that a bug didn't cause it to skip the TOS request.
[16:05:37] *** ralphm has left the room
[16:07:46] <Kev> It suggests bad caching or whatever isn't at play, yeah.
[16:07:52] *** SamWhited has left the room
[16:08:50] *** guus.der.kinderen has left the room
[16:09:02] *** peter shows as "xa" and his status message is "Auto Status (idle)"
[16:11:30] *** guus.der.kinderen has left the room
[16:13:19] *** guus.der.kinderen has joined the room
[16:13:26] *** guus.der.kinderen shows as "online"
[16:14:33] *** guus.der.kinderen has left the room
[16:14:39] *** guus.der.kinderen shows as "online"
[16:14:46] *** guus.der.kinderen shows as "online"
[16:17:22] *** vanitasvitae has left the room
[16:18:14] *** vanitasvitae shows as "online"
[16:19:56] *** guus.der.kinderen has left the room
[16:26:56] *** ralphm has joined the room
[16:27:02] *** vanitasvitae has left the room
[16:44:57] *** Lance has joined the room
[16:46:22] *** Kev shows as "away"
[16:49:56] *** SamWhited shows as "online"
[16:55:37] *** guus.der.kinderen has left the room
[16:55:59] *** guus.der.kinderen shows as "online"
[17:05:42] *** Holger shows as "away" and his status message is "I'm away"
[17:17:09] *** peter shows as "online"
[17:24:29] *** peter has left the room
[17:36:18] *** SamWhited has left the room
[17:41:22] *** ralphm has left the room
[17:42:15] *** jonasw shows as "online"
[17:44:20] *** Tobias shows as "online"
[17:44:26] *** Tobias shows as "online"
[17:48:43] *** SamWhited shows as "online"
[18:02:51] *** SamWhited has left the room
[18:02:51] *** SamWhited shows as "online"
[18:03:11] *** SamWhited shows as "online"
[18:14:17] *** Dave has left the room
[18:14:47] *** Dave has joined the room
[18:16:02] *** Dave has left the room
[18:16:02] *** Dave has joined the room
[18:34:15] *** Lance has joined the room
[18:46:29] *** vanitasvitae shows as "online"
[18:55:19] *** Dave has left the room
[18:55:57] *** Dave has joined the room
[18:58:26] *** Dave has left the room
[18:58:27] *** Dave has joined the room
[18:58:57] *** Dave has left the room
[18:59:06] *** Dave has joined the room
[19:00:04] *** Holger has left the room
[19:00:22] *** Holger shows as "online" and his status message is "I'm available"
[19:14:01] <Ge0rG> You folks are totally missing my point, which was that with a fixed https URL, there is no way to ensure from the server side whether the client supports and performs the ToS display game. If you are in GDPR-required-consent territory, you, as a server operator, must be able to prove that the user consented.
[19:16:35] <daniel> Ge0rG: so as a server operator you want to seriously exclude any client that doesn't accept the tos?
[19:16:53] <daniel> Or in other words. Every. Single. Client.?
[19:16:58] <SamWhited> If you use HTTP you have to do a checksum like Zash said if you want that.
[19:17:08] <Ge0rG> SamWhited: no!
[19:17:30] <SamWhited> Ge0rG: what do you mean?
[19:18:09] <Ge0rG> SamWhited: I don't want proof that the client *downloaded and hashed* the ToS, I want some kind of indicator that it displayed them to the user and the user had to click the "accept" button
[19:18:24] <Ge0rG> SamWhited: obvioulsy a malicious client can circumvent any kind of protocol.
[19:18:42] <SamWhited> Ge0rG: You can't get that no matter what, and you don't need it for GDPR.
[19:19:17] <Ge0rG> SamWhited: I can have a data-form with a checkbox
[19:19:27] <SamWhited> Which the client could just submit.
[19:19:38] <Ge0rG> Ge0rG> SamWhited: obvioulsy a malicious client can circumvent any kind of protocol.
[19:19:45] <SamWhited> It doesn't matter as long as you give the client a way to get it; you can't force the user to read it or the client to display it.
[19:20:02] <SamWhited> Right, so there's not much point to checking.
[19:20:09] <Zash> You can do things in good faith and hope for the best
[19:20:16] <SamWhited> Right.
[19:20:30] <SamWhited> At best you can make sure the client actually fetched it, then it's their problem if they don't display it.
[19:20:49] <Ge0rG> SamWhited: there is a substantial difference between "a 'well-defined' URL might or might not provide ToS which a client might or might not download and maybe show to the user which maybe then the user can click through" and "the user had to click a button on a form linking to the ToS"
[19:21:39] <SamWhited> I know, that's why I said you could just do a hash or something. That gives you the bare minimum like an HTTP site would have (eg. we know it was downloaded at least).
[19:21:46] <Zash> daniel, the client exclusion issue also applies to registering on conversations.im and you wanting to get an email to send invoices to. can't do that with protocol atm without excluding all clients.
[19:21:47] <Ge0rG> An IQ with the date/version of the ToS that were accepted is sufficient for the latter.
[19:22:39] <Ge0rG> And if a client doesn't advertise support for xep-tos, you need to either blackhole its comms and send a server-message with the ToS or do other hackery
[19:23:04] <Ge0rG> But "here is a well defined URL" doesn't let the server check whether the client supports showing ToS.
[19:24:08] <SamWhited> This TOS thing people want only has to be done during registration right? Presumably this isn't something you'd care to do before every login.
[19:24:24] <SamWhited> If so, maybe it makes more sense as an extension to https://xmpp.org/extensions/xep-0389.html
[19:24:30] <Ge0rG> SamWhited: except when the ToS change.
[19:24:44] <SamWhited> Ge0rG: then you send them a message saying the TOS changed (just like websites do with email).
[19:26:25] <SamWhited> Or also make it a part of sasl2; there may be some room to make the challenges overlap.
[19:28:43] <Ge0rG> The problem, again, is that with always-on devices the user isn't guaranteed to be in front of the device when the login happens
[19:29:19] *** Dave has left the room
[19:29:19] *** Dave has joined the room
[19:29:46] <Zash> Ge0rG, they will notice if they are offline a while
[19:30:16] <SamWhited> Isn't that still a problem with the proposal as it stands right now?
[19:30:48] <SamWhited> Also, does it matter? When they pull their phone out or whatever it will have a TOS screen and they will have to accept. Or am I misunderstanding the problem?
[19:31:11] *** Dave has left the room
[19:31:12] *** Dave has joined the room
[19:31:13] <Zash> Buttons-in-messages!
[19:31:19] <Zash> The Slack thing
[19:31:21] <Ge0rG> messages-in-buttons
[19:31:28] <Ge0rG> buttons-in-messages-in-buttons.
[19:31:53] *** Dave has left the room
[19:32:01] *** Dave has joined the room
[19:32:20] <Ge0rG> SamWhited: I never claimed the current proposal is perfect. I'm just trying to define the most probable use case.
[19:32:59] <Ge0rG> Obviously, some server admins will just send their users a message, containing a link or the ToS as a dump, at whatever time is appropriate for the server admin, and not care that some users will be woken up by a beeping phone at 3AM
[19:33:40] <Zash> Perfect vs good -- FIGHT!
[19:34:48] <SamWhited> I think I'm just not sure what the problem is you're finding with it.
[19:35:07] <Ge0rG> with the current xep?
[19:35:31] <SamWhited> Yes, because I never suggested that you said the current proposal was perfect, so I have no idea what you're even replying to.
[19:36:39] <Ge0rG> I didn't even point out any issues in the current XEP.
[19:36:58] <SamWhited> > The problem, again, is that with…
[19:37:13] *** Dave has left the room
[19:37:34] <SamWhited> I'm just trying to understand if you're for or against the general idea, or the specific implementation, or what
[19:37:50] <Ge0rG> I'm for the general idea and not against the specific implementation
[19:37:53] *** Dave has joined the room
[19:38:03] <Zash> Maybe write all this down and post to standards@?
[19:38:07] <Ge0rG> I'm against the idea of just defining a well-known ToS URI and consider the provlem solved
[19:38:35] *** Dave has left the room
[19:38:35] *** Dave has joined the room
[19:38:45] <SamWhited> That makes sense; thanks. I'm against the current implementation and not against the general idea, I think, but still trying to work out how strongly I feel about it or whether I think it matters.
[19:44:41] *** peter has joined the room
[19:44:56] *** Dave has left the room
[19:44:57] *** Dave has joined the room
[19:46:55] *** Dave has left the room
[19:47:05] *** Dave has joined the room
[20:00:55] *** jonasw shows as "away"
[20:03:23] <Kev> Ge0rG: I don't think *anyone* is for just having a .well-known and leaving it at that.
[20:03:36] <SamWhited> Honestly, I'm not against that.
[20:03:41] <Kev> If I gave the impression that I'm arguing for that I've grossly misreprented myself.
[20:03:44] <SamWhited> I'm not sure that it's my preferred method, but it does seem good enough.
[20:04:17] <Zash> As optional discovery method, maybe.
[20:04:28] <Kev> But I'm just not a fan of the current spec, particularly around using adhocs with bits that aren't standard adhocs, and of having adhocs inside iqs before authentication.
[20:04:31] <Zash> But ugh, .well-known is meh :(
[20:04:40] <Kev> Or before resource binding, or whatever.
[20:08:15] *** peter shows as "away" and his status message is "Auto Status (idle)"
[20:08:51] *** Lance has joined the room
[20:09:56] <Kev> SamWhited: It depends on good enough for what. It's good enough for letting a client find ToS, but I think the ToS XEP is trying to tell the server the user has accepted terms, which a .well-known on its own clearly doesn't.
[20:10:10] <Ge0rG> Kev: no, you were not the one. But there was a claim in the room that this suggestion was made by SamWhited
[20:10:32] <Ge0rG> Anyway, the discussion should be moved to standards@
[20:10:51] <Zash> +1
[20:10:52] <SamWhited> Kev: yah, fair, I guess we'd need some sort of notification to the server too
[20:10:54] *** vanitasvitae has left the room
[20:11:00] <Kev> Ge0rG: Probably true.
[20:11:05] *Kev bimbles AFK again.
[20:12:24] *** moparisthebest shows as "online"
[20:17:16] *** Zash has left the room
[20:28:15] *** peter shows as "xa" and his status message is "Auto Status (idle)"
[20:34:40] *** guus.der.kinderen has left the room
[20:34:45] *** guus.der.kinderen shows as "online"
[20:38:21] *** Tobias has joined the room
[20:40:05] *** Dave has left the room
[20:40:05] *** Dave has joined the room
[20:49:20] *** peter shows as "online"
[20:49:23] *** Zash shows as "online"
[20:53:26] *** daniel has left the room
[20:59:41] *** peter shows as "away" and his status message is "Auto Status (idle)"
[21:04:22] *** Zash has left the room
[21:08:34] *** Tobias has left the room
[21:08:35] *** Tobias has joined the room
[21:09:50] *** Zash shows as "online"
[21:10:00] *** Zash shows as "online"
[21:13:35] *** Zash shows as "online"
[21:13:42] *** Zash has left the room
[21:19:43] *** peter shows as "xa" and his status message is "Auto Status (idle)"
[21:22:28] *** vanitasvitae shows as "online"
[21:26:41] *** vanitasvitae has left the room
[21:28:01] *** vanitasvitae shows as "online"
[21:57:13] *** vanitasvitae has left the room
[21:57:45] *** vanitasvitae shows as "online"
[22:00:01] *** vanitasvitae has left the room
[22:02:45] *** vanitasvitae shows as "online"
[22:03:05] *** peter shows as "online"
[22:13:16] *** peter shows as "away" and his status message is "Auto Status (idle)"
[22:15:25] *** ralphm has joined the room
[22:21:42] *** vanitasvitae has left the room
[22:22:21] *** vanitasvitae shows as "online"
[22:23:44] *** vanitasvitae has left the room
[22:23:59] *** vanitasvitae shows as "online"
[22:24:21] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[22:25:21] *** vanitasvitae has left the room
[22:25:36] *** vanitasvitae shows as "online"
[22:26:58] *** vanitasvitae has left the room
[22:27:10] *** vanitasvitae shows as "online"
[22:28:44] *** vanitasvitae has left the room
[22:28:57] *** vanitasvitae shows as "online"
[22:30:21] *** vanitasvitae has left the room
[22:30:33] *** vanitasvitae shows as "online"
[22:31:59] *** vanitasvitae has left the room
[22:32:11] *** vanitasvitae shows as "online"
[22:33:16] *** peter shows as "xa" and his status message is "Auto Status (idle)"
[22:33:35] *** vanitasvitae has left the room
[22:33:47] *** vanitasvitae shows as "online"
[22:35:11] *** vanitasvitae has left the room
[22:35:23] *** vanitasvitae shows as "online"
[22:36:51] *** vanitasvitae has left the room
[22:37:03] *** vanitasvitae shows as "online"
[23:17:19] *** SamWhited has left the room
[23:56:23] *** Dave has left the room
[23:56:24] *** Dave has joined the room
[23:56:31] *** Dave has left the room
[23:56:34] *** Dave has joined the room