dwdKev, WHile I remember, you had objections to my XEP-0001 pass; could you post them to the list so others can agree/disagree?
KevYes. It's in my todo system. This isn't particularly time-critical though, is it?
dwdKev, I think that the correct thing is that Editor approves Humour, but will run things past COuncil members and other advisors individually to ensure sanity. Possibly mandate that it's never me, since it hasn't ever been as far as I know. :-)
dwdI'd like to keep momentum up on the discussion, if possible, then we can get it all over with.
KevOK. I'll try to get to it sooner than later, then.
KevI'm not really sure I like the thought of there being any XEPs for which the approving body isn't either Council or Board.
dwdThese *are* Humorous ones. Maybe it needs "in consultaion with the XMPP Council Chair" specifically?
KevIt seems somewhat self serving, but I'd be happy with direct approval by council chair, yes.
KevAlthough TBH I'm not sure what the problem with just using Council is.
KevWhat usually happens is just someone says to Council, quietly, "I'll be writing along these lines" and Council says "Fine, go ahead".
KevThe counter to "These *are* Humorous ones." being "These *are* XEPs".
KevIf we went with XEP Editors, we'd need to put in place some sort of rules for meetings and approval process, I think, which we don't currently have.
KevAnd being able to take a XEP through every step of the process autonomously dramatically changes the scope of the Editor team.
Tobiasanyone happen to know if XEP-0027 also works for MUCs? and wether that's implemented?
Kev27 doesn't even work for presence :)
xnyhps27 doesn't work.
KevAnd no, it wouldn't work for MUC.
KevBasically, don't go near 27.
Tobiaswith doesn't work for presence you mean you can't encrypt presence messages?
Tobiaswith doesn't work for presence you mean you can't encrypt presence stanzas?
xnyhpsYou can sign presence or encrypt (but not sign) messages. That's all.
KevNo, I mean that there's no protection against replay attacks.
KevIt's full enough of holes that we should just stay well away.
KevThus the mail I just sent to council@ about getting rid of it.
TobiasPGP for email doesn't have that either, not?
xnyhpsTobias: PGP signatures contain a datestamp.
TobiasKev, http://wiki.xmpp.org/web/XMPP_E2E_Security i've started to collect an overview about all proposals out there
KevYou should probably mention that OTR doesn't have clean discovery.
KevUnless you know the person you're talking to has OTR from out-of-band discovery (e.g. talking to them), the experience is quite horrid.
xnyhpsI disagree with the "Yes"es for Authenticity and Integrity with PGP.
Tobiasxnyhps, it doesn't provide those?
KevWe should really forget 27 exists, and get rid of it.
xnyhpsYour messages aren't signed, any attacker can replace them with any other encrypted message.
KevPresumably in the other order, or we wouldn't remember what we were getting rid of.
Tobiasxnyhps, that's for XEP-0027, not for email usage of PGP right?
KevTobias: It provides complete protection as long as you have absolute faith in your server, their server, and all the networking in between.
Tobiasmaybe i just expected XEP-0027 to be too much like email PGP
TobiasKev, right...why do i need e2e then
KevSee earlier question about burning 27 with fire.
xnyhps+1 for fire.
Tobias!xep 27 doesn't have discovery support either it seems
Tobiasat least i see nothing about disco in the XEp
Tobiasupdated the table...will add a couple sentences in the section above
xnyhpsI also disagree with the "No" for multiple resources for OTR.
xnyhpsBut maybe it's also not "Yes". :P
Tobiasright..the detailed answer probably doesn't fit in a table cell
Tobiasbut i could add a paragraph above in the section of OTR to it
Tobiasalso wondering what version we should describe there? OTRv2 or OTRv3?
Tobiaswhat's used out there?
xnyhpsI don't actually know, beyond Pidgin and Adium.
xnyhps(I'd also say "Malleable encryption" should be "n/a" for PGP, as it doesn't even have authenticity. Sorry for pestering you, I can't find my xmpp.org login.)
KevI wonder if it'd be interesting to do a 'real' gpg spec.
Tobiasit'd at least have great support for offline messages :)
KevAnd at least the methods for trust are established.
dwdIn fairness, XEP-0027 is better protection than many of the recent commercial "secure IM" services that seem to have sprung up.
Tobiasdwd, to what are you referring exactly?
dwdTobias, Most of the new security bandwagon services seem based around similarly, or worse, flawed models.
Tobias*most* probably qualifies here, considering the ton on new services
Tobiasyou guys know of any implementation of RFC 3923?
dwdI don't. I have heard people say there hasn't ever been one.
dwdIn fairness, 3923 isn't even a bad design, as far as I can tell, it's just ugly.
Tobiasdon't RFCs require implementation at some level?
dwdOnly to move to Draft, IIRC.
dwdWhich is vaguely silly - they shifted the meaning of each level while keeping the requirements largely the same.
Ge0rGisn't it finally time to consider one-to-one chats as a subclass of multi-user chats, security-wise? After all, you have your smartphone and your desktop connected (or connecting later) and want all your IM backlog there
Ge0rGbtw, how did WebRTC solbe the certificate/identity management problem for DTLS?
ZashThere's a fingerprint in the SDP blob.
Ge0rGZash: how is that supposed to solve anything?
Tobiasusers obviously will meet in person to validate those
ZashAnd I don't know if there are actual certificates.
Ge0rGif I meet my users in person, what do I need WebRTC for?
ZashGe0rG: Define "anything".
Ge0rGZash: anything is the set of IT security properties that a cryptographic protocol should be able to solve: integrity, authenticity, privacy, nonrepudiation|deniability, and one or more unimportant ones
ZashGe0rG: And a DTLS fingerprint does not?
ZashAssuming you shuffle that securely to the other party, along with the rest of the SDP stuff
Ge0rGZash: so you are assuming a secure channel between two parties, which you use to construct a secure channel between these two parties?
ZashThe connection to a common server, yes. :)
Ge0rGZash: a trusted common server that does not manipulate your packets
KevIf you don't trust the server, when it's the server providing the application, you're in some amount of trouble.
Ge0rGok, now that's where XMPP is different from WebRTC
Ge0rGdoes WebRTC support federation?
Ge0rG(actually, that question does not matter.)
Ge0rGI just realized that me trusting my own server does not help at all in establishing a federated session through a different, untrusted, server
Ge0rGwho can contribute to the xmpp.org wiki?
ZashYou, if someone gets you an account :)
Ge0rGah, so the formal requirement is "get yourself added"
Tobiasbasically you just ask for an account in the jdev chatroom and some admin will likely create an account for you