Monday, January 08, 2018
xsf@muc.xmpp.org
January
Mon Tue Wed Thu Fri Sat Sun
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
             
XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

[00:06:27] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[00:16:20] *** vanitasvitae shows as "xa" and his status message is " (Nicht verfügbar wegen Untätigkeit seit mehr als 15 Minuten)"
[00:18:54] *** vanitasvitae shows as "online"
[00:24:10] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[00:29:54] *** vanitasvitae shows as "online"
[00:35:21] *** vanitasvitae has left the room
[00:40:21] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[00:47:57] *** ralphm has left the room
[00:48:03] *** ralphm has joined the room
[00:58:25] *** SamWhited shows as "online"
[01:11:45] *** lskdjf has left the room
[01:11:45] *** lskdjf shows as "online"
[01:15:12] *** la|r|ma has left the room
[01:20:10] *** la|r|ma shows as "online"
[01:21:02] *** la|r|ma has left the room
[01:21:03] *** la|r|ma shows as "online"
[01:23:54] *** la|r|ma has left the room
[01:23:54] *** la|r|ma shows as "online"
[01:26:47] *** la|r|ma has left the room
[01:26:48] *** la|r|ma shows as "online"
[01:27:49] *** la|r|ma shows as "online"
[01:28:27] *** la|r|ma has left the room
[01:28:27] *** la|r|ma shows as "online"
[01:33:26] *** daniel has left the room
[01:34:51] *** la|r|ma has left the room
[01:34:51] *** la|r|ma shows as "online"
[01:35:19] *** la|r|ma has left the room
[01:35:20] *** la|r|ma shows as "online"
[01:35:59] *** daniel has joined the room
[01:37:20] *** la|r|ma has left the room
[01:37:20] *** la|r|ma shows as "online"
[01:38:37] *** moparisthebest has left the room
[01:39:15] *** moparisthebest has joined the room
[01:39:15] *** la|r|ma has left the room
[01:39:15] *** la|r|ma shows as "online"
[01:41:53] *** la|r|ma has left the room
[01:41:54] *** la|r|ma shows as "online"
[01:42:25] *** la|r|ma has left the room
[01:42:25] *** la|r|ma shows as "online"
[01:44:17] *** la|r|ma has left the room
[01:44:17] *** la|r|ma shows as "online"
[01:46:29] *** la|r|ma has left the room
[01:46:29] *** la|r|ma shows as "online"
[01:47:03] *** la|r|ma has left the room
[01:47:04] *** la|r|ma shows as "online"
[01:50:30] *** la|r|ma has left the room
[01:50:30] *** la|r|ma shows as "online"
[01:52:24] *** jere has joined the room
[01:55:29] *** lumi has left the room
[01:55:32] *** la|r|ma shows as "online"
[01:59:33] *** la|r|ma has left the room
[01:59:34] *** la|r|ma shows as "online"
[02:02:32] *** la|r|ma has left the room
[02:02:33] *** la|r|ma shows as "online"
[02:06:09] *** la|r|ma has left the room
[02:06:10] *** la|r|ma shows as "online"
[02:06:40] *** moparisthebest has left the room
[02:08:30] *** moparisthebest has joined the room
[02:08:37] *** la|r|ma has left the room
[02:08:37] *** la|r|ma shows as "online"
[02:12:48] *** la|r|ma has left the room
[02:12:48] *** la|r|ma shows as "online"
[02:12:52] *** efrit has joined the room
[02:13:17] *** la|r|ma has left the room
[02:13:17] *** la|r|ma shows as "online"
[02:14:02] *** jere has left the room
[02:14:21] *** jere has joined the room
[02:17:43] *** la|r|ma has left the room
[02:17:43] *** la|r|ma shows as "online"
[02:17:46] *** xnyhps shows as "away" and his status message is "Away"
[02:18:24] *** la|r|ma has left the room
[02:18:24] *** la|r|ma shows as "online"
[02:20:05] *** la|r|ma has left the room
[02:20:05] *** la|r|ma shows as "online"
[02:20:08] *** winfried has left the room
[02:20:12] *** winfried has joined the room
[02:22:22] *** la|r|ma has left the room
[02:22:23] *** la|r|ma shows as "online"
[02:25:36] *** SamWhited shows as "online"
[02:25:48] *** winfried has joined the room
[02:26:34] *** la|r|ma has left the room
[02:26:35] *** la|r|ma shows as "online"
[02:27:04] *** @Alacer has left the room
[02:27:04] *** waqas has left the room
[02:27:11] *** @Alacer has joined the room
[02:31:49] *** la|r|ma has left the room
[02:31:49] *** la|r|ma shows as "online"
[02:37:24] *** la|r|ma has left the room
[02:41:37] *** SamWhited has left the room
[02:41:37] *** SamWhited shows as "online"
[02:54:31] *** @Alacer has left the room
[02:54:39] *** @Alacer has joined the room
[03:05:19] *** hannes has left the room
[03:05:20] *** hannes has joined the room
[03:08:59] *** efrit has left the room
[03:10:36] *** efrit has joined the room
[03:16:29] *** daniel has left the room
[03:16:33] *** daniel has joined the room
[03:27:33] *** daniel has left the room
[03:32:20] *** efrit has left the room
[03:33:16] *** winfried has left the room
[03:59:12] *** moparisthebest shows as "online"
[04:41:53] *** daniel has joined the room
[05:22:18] *** xnyhps shows as "away" and his status message is "Away"
[05:22:22] *** xnyhps shows as "online"
[05:22:23] *** Zash shows as "online"
[05:22:28] *** Zash shows as "online"
[05:24:14] *** xnyhps shows as "online"
[05:25:54] *** xnyhps shows as "online"
[05:28:38] *** xnyhps shows as "online"
[05:29:17] *** xnyhps shows as "online"
[05:34:31] *** daniel has left the room
[05:36:50] *** zinid has left the room
[05:37:12] *** daniel has joined the room
[05:37:50] *** zinid has joined the room
[05:42:00] *** xnyhps shows as "online"
[05:42:35] *** xnyhps shows as "online"
[05:45:05] *** xnyhps shows as "online"
[05:45:12] *** xnyhps shows as "online"
[05:50:06] *** hannes has left the room
[05:50:10] *** hannes has joined the room
[05:56:45] *** Tobias has left the room
[05:56:55] *** Tobias has joined the room
[05:59:00] *** daniel has left the room
[05:59:05] *** daniel has joined the room
[06:01:03] *** xnyhps shows as "online"
[06:01:44] *** xnyhps shows as "online"
[06:04:24] *** moparisthebest has left the room
[06:04:24] *** moparisthebest shows as "online"
[06:04:28] *** moparisthebest has left the room
[06:04:29] *** moparisthebest shows as "online"
[06:04:35] *** daniel has left the room
[06:04:37] *** moparisthebest shows as "online"
[06:04:39] *** xnyhps shows as "online"
[06:04:52] *** moparisthebest has left the room
[06:05:05] *** xnyhps shows as "online"
[06:06:53] *** xnyhps shows as "online"
[06:08:57] *** xnyhps shows as "online"
[06:12:02] *** daniel has joined the room
[06:13:34] *** xnyhps shows as "online"
[06:15:08] *** xnyhps shows as "online"
[06:17:32] *** daniel has left the room
[06:19:44] *** winfried has joined the room
[06:20:41] *** xnyhps shows as "online"
[06:20:43] *** xnyhps shows as "online"
[06:21:50] *** xnyhps shows as "online"
[06:22:00] *** xnyhps shows as "online"
[06:35:03] *** hannes has left the room
[06:40:07] *** goffi has joined the room
[06:40:48] *** ralphm has joined the room
[06:50:16] *** xnyhps shows as "online"
[06:50:27] *** xnyhps shows as "online"
[06:51:33] *** ralphm has left the room
[06:52:50] *** daniel has joined the room
[06:53:37] *** xnyhps shows as "online"
[06:54:30] *** xnyhps shows as "online"
[06:58:20] *** daniel has left the room
[07:00:21] *** xnyhps shows as "online"
[07:01:00] *** ralphm has joined the room
[07:02:28] *** suzyo has joined the room
[07:03:29] *** xnyhps shows as "online"
[07:05:49] *** xnyhps shows as "online"
[07:06:11] *** xnyhps shows as "online"
[07:08:52] *** Tobias has left the room
[07:09:06] *** Tobias has joined the room
[07:10:25] *** xnyhps shows as "online"
[07:10:31] *** xnyhps shows as "online"
[07:12:53] *** Kev shows as "online"
[07:13:09] *** xnyhps shows as "online"
[07:13:46] *** ralphm has left the room
[07:14:45] *** Guus has joined the room
[07:17:35] *** daniel has joined the room
[07:18:23] *** xnyhps shows as "away" and his status message is "Away"
[07:20:07] *** xnyhps shows as "away" and his status message is "Away"
[07:20:16] *** xnyhps shows as "online"
[07:21:10] *** ralphm has joined the room
[07:21:22] *** xnyhps shows as "online"
[07:22:22] *** daniel has left the room
[07:22:30] *** daniel has joined the room
[07:24:54] *** xnyhps shows as "online"
[07:25:39] *** intosi shows as "away" and his status message is "Away"
[07:25:43] *** intosi shows as "online"
[07:26:18] *** xnyhps shows as "online"
[07:28:48] *** zinid shows as "online"
[07:28:53] *** Steve Kille shows as "online" and his status message is "At Home"
[07:31:10] *** xnyhps shows as "online"
[07:32:11] *** xnyhps shows as "online"
[07:33:49] *** xnyhps shows as "online"
[07:33:53] *** Kev shows as "away"
[07:39:02] *** daniel has left the room
[07:39:07] *** daniel has joined the room
[07:42:31] *** xnyhps shows as "away" and his status message is "Away"
[07:43:24] *** Guus has left the room
[07:43:39] *** xnyhps shows as "away" and his status message is "Away"
[07:46:16] *** Kev shows as "away"
[07:46:16] *** Kev shows as "away"
[07:48:07] *** Guus has joined the room
[07:48:18] *** blabla shows as "online"
[07:50:12] *** daniel has left the room
[07:50:18] *** daniel has joined the room
[07:50:32] *** Guus has left the room
[07:52:25] *** ralphm shows as "online"
[07:53:51] *** Kev shows as "online"
[07:54:44] *** Steve Kille shows as "away" and his status message is "At Home"
[07:55:41] *** daniel has left the room
[07:58:23] *** Kev has left the room
[08:00:30] *** daniel has joined the room
[08:02:46] *** xnyhps shows as "away" and his status message is "Away"
[08:07:34] *** Steve Kille shows as "online" and his status message is "At Home"
[08:08:04] *** ralphm shows as "away" and his status message is " (Away as a result of being idle more than 15 min)"
[08:08:11] *** ralphm shows as "online"
[08:09:22] *** jonasw shows as "online"
[08:12:21] *** blabla has left the room
[08:16:04] *** Steve Kille shows as "online" and his status message is "At Home"
[08:16:05] *** Steve Kille shows as "online" and his status message is "At Home"
[08:21:43] *** ralphm shows as "online"
[08:28:23] *** ralphm has left the room
[08:31:07] *** blabla shows as "online"
[08:31:45] *** Steve Kille has left the room
[08:31:48] *** blabla has left the room
[08:32:15] *** Steve Kille has left the room
[08:32:26] *** Martin has joined the room
[08:32:33] *** ralphm shows as "online"
[08:36:59] *** Steve Kille has joined the room
[08:37:00] *** Steve Kille shows as "away" and his status message is "At Home"
[08:37:32] *** @Alacer has left the room
[08:37:36] *** @Alacer has joined the room
[08:37:56] *** Steve Kille shows as "online" and his status message is "At Home"
[08:38:13] *** Steve Kille shows as "online" and his status message is "At Home"
[08:38:14] *** Steve Kille shows as "online" and his status message is "At Home"
[08:38:48] *** Steve Kille shows as "online" and his status message is "Hampton"
[08:41:08] *** xnyhps shows as "online"
[08:53:39] *** Guus has joined the room
[08:53:44] *** Steve Kille has left the room
[08:53:44] *** daniel has left the room
[08:53:49] *** daniel has joined the room
[08:56:10] *** ralphm shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[08:57:46] *** ralphm shows as "online"
[09:04:16] *** ralphm has left the room
[09:05:45] *** jonasw shows as "online"
[09:05:52] *** Alex has joined the room
[09:06:43] *** Ge0rG shows as "online"
[09:10:07] *** hannes has joined the room
[09:10:24] *** zinid has left the room
[09:10:28] *** zinid shows as "online"
[09:20:46] *** ralphm shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[09:24:04] *** hannes has left the room
[09:24:07] *** hannes has joined the room
[09:28:17] *** Martin shows as "online"
[09:28:17] *** Martin shows as "away" and his status message is "Away"
[09:30:11] *** Martin shows as "away" and his status message is "Away"
[09:30:28] *** Martin shows as "away" and his status message is "Away"
[09:30:47] *** Martin shows as "online"
[09:34:18] *** tux shows as "dnd" and his status message is "Work work …"
[09:40:10] *** hannes has left the room
[09:40:14] *** hannes has joined the room
[09:40:18] *** Martin has left the room
[09:42:14] *** hannes has left the room
[09:42:34] *** hannes has joined the room
[09:46:20] *** Holger shows as "online" and his status message is "I'm available"
[09:49:11] *** ralphm has joined the room
[09:54:58] *** ralphm has left the room
[09:57:02] *** lumi has joined the room
[09:58:22] *** tux has joined the room
[10:03:43] *** ralphm has joined the room
[10:10:32] *** vanitasvitae has joined the room
[10:12:08] *** ralphm has left the room
[10:18:48] *** vanitasvitae has left the room
[10:19:02] *** vanitasvitae has joined the room
[10:20:43] *** vanitasvitae has left the room
[10:25:54] *** intosi shows as "online"
[10:26:05] *** Alex has left the room
[10:27:00] *** Holger shows as "away" and his status message is "I'm away"
[10:30:27] *** pep. shows as "online"
[10:33:52] *** ralphm has joined the room
[10:40:29] *** Holger shows as "online" and his status message is "I'm available"
[10:41:08] *** hannes has left the room
[10:41:11] *** hannes has joined the room
[10:41:42] *** Steve Kille shows as "away" and his status message is "Hampton"
[10:42:38] *** Alex has joined the room
[10:47:12] *** Alex shows as "online"
[10:47:21] *** Alex has left the room
[10:47:47] *** intosi shows as "online"
[10:49:02] *** Steve Kille shows as "online" and his status message is "Hampton"
[10:51:17] *** lskdjf has joined the room
[10:51:52] *** la|r|ma has joined the room
[10:52:08] *** jonasw has left the room
[11:04:02] *** Steve Kille shows as "away" and his status message is "Hampton"
[11:04:15] *** ralphm has joined the room
[11:05:52] *** Steve Kille shows as "online" and his status message is "Hampton"
[11:14:06] *** jonasw shows as "away"
[11:14:18] *** la|r|ma shows as "online"
[11:17:56] *** moparisthebest has joined the room
[11:19:25] *** intosi shows as "online"
[11:24:34] *** intosi shows as "away" and his status message is "Away"
[11:29:10] *** Steve Kille shows as "online" and his status message is "Hampton"
[11:29:19] *** Steve Kille shows as "online" and his status message is "Hampton"
[11:30:18] *** Steve Kille has left the room
[11:34:05] *** marc has joined the room
[11:37:22] *** zinid has left the room
[11:41:57] *** marc shows as "online"
[11:43:38] *** intosi shows as "away" and his status message is "Away"
[11:43:43] *** intosi shows as "online"
[11:44:23] *** ralphm has joined the room
[11:56:20] *** ralphm has left the room
[11:56:55] *** daniel has left the room
[11:57:04] *** daniel has joined the room
[12:00:35] *** Steve Kille shows as "away" and his status message is "Hampton"
[12:05:58] *** Kev shows as "away"
[12:10:39] *** Steve Kille shows as "online" and his status message is "Hampton"
[12:11:33] *** Flow has left the room
[12:13:10] *** Kev shows as "online"
[12:14:59] *** moparisthebest has joined the room
[12:17:25] *** daniel has left the room
[12:17:34] *** valo has joined the room
[12:17:34] *** daniel has joined the room
[12:18:22] *** Guus has left the room
[12:23:45] *** lskdjf shows as "online"
[12:26:45] *** MattJ shows as "online"
[12:31:29] *** Steve Kille shows as "away" and his status message is "Hampton"
[12:33:02] *** vanitasvitae has joined the room
[12:34:21] *** hannes has left the room
[12:34:43] *** hannes has joined the room
[12:35:27] *** ralphm has joined the room
[12:39:48] *** @Alacer has left the room
[12:39:51] *** @Alacer has joined the room
[12:40:02] *** @Alacer has left the room
[12:40:05] *** @Alacer has joined the room
[12:40:14] *** intosi shows as "online"
[12:43:42] *** @Alacer has left the room
[12:43:46] *** @Alacer has joined the room
[12:44:25] *** Guus has joined the room
[12:45:25] *** intosi shows as "away" and his status message is "Away"
[12:49:07] *** la|r|ma has left the room
[12:49:11] *** la|r|ma shows as "online"
[12:51:06] *** jonasw shows as "online"
[12:55:42] *** suzyo has joined the room
[13:00:13] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[13:00:33] *** hannes has left the room
[13:00:45] *** hannes has joined the room
[13:01:21] *** vanitasvitae shows as "online"
[13:03:25] *** daniel has left the room
[13:03:33] *** daniel has joined the room
[13:06:21] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[13:11:05] *** vanitasvitae shows as "online"
[13:18:21] *** hannes has left the room
[13:19:12] *** hannes has joined the room
[13:21:45] *** uc has left the room
[13:22:02] *** uc has joined the room
[13:22:47] *** ralphm has joined the room
[13:24:14] *** Kev has left the room
[13:24:55] *** Kev has joined the room
[13:24:55] *** Kev shows as "online"
[13:32:05] *** daniel has left the room
[13:32:14] *** daniel has joined the room
[13:33:06] *** ralphm has left the room
[13:35:36] *** uc has joined the room
[13:36:02] *** ralphm has joined the room
[13:36:14] *** @Alacer has left the room
[13:37:26] *** @Alacer has joined the room
[13:40:09] *** efrit has joined the room
[13:40:19] *** uc has joined the room
[13:44:13] *** Steve Kille shows as "online" and his status message is "Hampton"
[13:45:38] *** Ge0rG shows as "online"
[13:46:44] *** Dave Cridland has joined the room
[13:46:58] <Dave Cridland> Afternoon, all.
[13:47:53] <SouL> Greetings!
[13:48:06] <Dave Cridland> Just submitted one Internet Draft, plus two ProtoXEPs, covering adding TOTP-based 2FA to XMPP.
[13:48:26] <Dave Cridland> edhelas, You might be interested in that, as I recall.
[13:49:04] <edhelas> link ?
[13:49:05] <jonasw> two(!) protoxeps
[13:49:11] <jonasw> you want me to fail my exams!!!k
[13:49:25] <jonasw> I may take care of them tonight
[13:49:34] <Dave Cridland> jonasw, No problem.
[13:49:46] <Dave Cridland> jonasw, As in, no rush - not that your exams aren't a problem.
[13:49:57] <jonasw> I understood, and also I was joking :)
[13:50:03] *** intosi shows as "away" and his status message is "Away"
[13:50:10] *** intosi shows as "online"
[13:51:11] *** suzyo has joined the room
[13:51:38] <Dave Cridland> edhelas, https://github.com/surevine/xeps/blob/totp-2fa/inbox/totp-2fa.xml if you can deal with an unrendered version. But I'm seeing a build error in that - whoops. ALso I'm a bit light on example flows, which is poor given I've implemented this bit.
[13:53:18] *** jjrh has left the room
[13:53:30] *** jjrh shows as "online"
[13:53:38] <Dave Cridland> edhelas, The Internet Draft is here: https://datatracker.ietf.org/doc/draft-cridland-kitten-clientkey/
[13:54:28] <Dave Cridland> edhelas, That basically covers a SASL mechanism designed to cope with the fact we don't want to ask for TOTP codes every time, and also don't want to weaken security by not doing so.
[13:54:54] <Dave Cridland> edhelas, It demands a few supporting functions from the containing protocol, which is the other ProtoXEP.
[13:55:02] <edhelas> okay good
[13:55:09] <edhelas> will have a look at it asap
[13:55:11] <Ge0rG> Dave Cridland: how often is it supposed to ask for TOTP veriifcation?
[13:55:29] <Dave Cridland> Ge0rG, Without the CLIENT-KEY mechanism? Every time.
[13:55:39] <Ge0rG> Dave Cridland: this question is generally interesting to me in the context of long-living TCP sessions, but also for 0198 and ISR
[13:55:44] <Dave Cridland> Ge0rG, That would, of course, be nuts.
[13:55:48] <Ge0rG> Dave Cridland: and with client key?
[13:56:12] <Dave Cridland> Ge0rG, With CLIENT-KEY, it wouldn't. But CLIENT-KEY has expiry and things built in, to force users to reauthenticate.
[13:56:38] *** jjrh has left the room
[13:56:51] *** jjrh shows as "online"
[13:58:13] <jonasw> Dave Cridland, Builds/xeps/inbox/totp-2fa.xml: not well-formed (invalid token): line 99, column 61
[13:58:22] *** daniel has left the room
[13:58:27] *** daniel has joined the room
[13:58:28] <Dave Cridland> jonasw, Yeah, the ABNF. On it...
[13:59:49] <Ge0rG> Dave Cridland: will CLIENT-KEY expiry close the session, or require an in-session reauth?
[14:00:01] <Dave Cridland> Neither.
[14:00:10] *** jere has joined the room
[14:00:15] <Ge0rG> So if I have a good network, I can stay logged in forever?
[14:00:47] <jonasw> at some point, the servers certificate will expire and your client will of course disconnect you :)
[14:00:50] <Dave Cridland> Ge0rG, Sure. I imagine if a server admin thought this was a problem they could put in a session expiry.
[14:01:07] <Ge0rG> jonasw: I LOLed.
[14:01:19] <jonasw> sleekxmpp actually does that.
[14:01:50] <Kev> Presumably if there is an issue with authentication of long-lived sessions, this goes beyond the tokens, and would apply to all sessions.
[14:02:16] <Kev> Seems orthogonal to this.
[14:03:23] *** ralphm has joined the room
[14:03:40] <Dave Cridland> jonasw, Incorrectly, I'd suggest. The certificate defines how long the identity assertion is warranted for, not how long the identity might last.
[14:04:24] *** jjrh has left the room
[14:04:45] <Dave Cridland> jonasw, Travis is back doing its magic on an update.
[14:04:51] <jonasw> Dave Cridland, not sure. If I actually managed to steal a certificate, long-running sessions would fall for me longer than needed.
[14:05:38] *** jjrh shows as "online"
[14:05:49] <Dave Cridland> jonasw, Quite possibly. But that's not what the certificate expiry is for.
[14:06:34] <jonasw> so it would be more reasonable to periodically check CRLs, fair enough. But once the certificate is expired, you don’t have anything to check for in the CRL anymore.
[14:06:56] <jonasw> ah okay, but you could also assume that the identity was then correctly asserted when you connected and don’t need to care anymore.
[14:07:47] <jonasw> Dave Cridland, built for website in progress, ETA 2h
[14:08:40] *** jjrh has left the room
[14:09:13] <mathieuii> Dave Cridland, maybe the namespace would be better as urn:xmpp:totp:0? "mfa" is a bit broader than TOTP
[14:10:49] *** Dave Cridland shows as "online"
[14:11:05] *** Dave Cridland has left the room
[14:11:11] *** Dave Cridland shows as "online"
[14:11:18] *** uc has left the room
[14:11:36] *** uc has joined the room
[14:12:24] <jonasw> Steve Kille, for the next time, please note that you’re in the wrong month with your revision dates (2018-02 vs. 2018-01). I fixed it this time :)
[14:13:10] <Steve Kille> oopps
[14:13:27] <Steve Kille> and thanks
[14:13:46] <jonasw> build in progress, ETA ≤ 2h
[14:15:52] *** blabla shows as "online"
[14:16:12] *** Holger shows as "away" and his status message is "I'm away"
[14:16:12] *** Holger shows as "online" and his status message is "I'm available"
[14:16:44] <mathieuii> one of my concerns is that most services offering TOTP have "recovery codes" the user can use when they lose their secret
[14:16:47] *** jjrh shows as "online"
[14:20:58] *** jjrh has left the room
[14:21:12] *** jjrh shows as "online"
[14:22:05] <Ge0rG> mathieuii: is that a sentiment about lack of security of 2FA implementations?
[14:22:35] <mathieuii> not security, rather improved security leading to account locking
[14:23:22] <Ge0rG> it should be really hard but not impossible to recover from a 2FA loss
[14:24:31] <mathieuii> yes
[14:25:08] <mathieuii> well, currently there’s no standard for password recovery either, so that’s consistent at least
[14:25:32] *** Kev shows as "away"
[14:25:34] *** Kev shows as "away"
[14:26:22] <Ge0rG> I'm still interested in specifying how long a session is bound to be valid, and if it should be legal to resume a session from a different TCP connection by means of ISR+0198.
[14:27:06] <jonasw> isn’t that the whole idea of ISR+0198?
[14:27:47] <Ge0rG> jonasw: yes
[14:28:48] <Ge0rG> jonasw: but consider a pre-ISR pre-CLIENT-KEY world, where the user enters a TOTP token value on each login.
[14:29:08] <Ge0rG> how long should that authenticated session be considered valid? Until the expiry of the server SSL cert?
[14:29:12] *** Flow has joined the room
[14:29:25] <Ge0rG> Hi Flow! Were just talking about you ;)
[14:29:46] <Flow> what a coincidence :)
[14:30:08] <MattJ> It's similar to the question of whether s2s connections should close when the cert that was used to authenticate them expires
[14:30:44] <Ge0rG> I tend to agree with Kev that it's somewhat orthogonal to SSL cert lifetime, though.
[14:31:01] <Ge0rG> The question still remains, how long and under which conditions a session should be considered valid.
[14:31:47] <Ge0rG> TLS session reuse also comes to mind in this context.
[14:32:56] <Ge0rG> But I'm not very inclined to outsource the reauth of a layer 7 client session to TLS.
[14:35:10] *** Kev shows as "away"
[14:35:44] <Ge0rG> I assume this is related to the identity of the client (device|application), and the amount of state an attacker has to extract to prove he's actually that entity.
[14:36:43] <Zash> Do you stop being you when your cert expires?
[14:36:54] <mathieuii> yes
[14:37:18] <Ge0rG> Zash: you can't know for sure.
[14:37:23] *** ralphm has joined the room
[14:37:24] <Dave Cridland> mathieuii, Oh, we did account unlocking too. Do we want a XEP on it? We did that as a SASL mechanism based around emailed codes.
[14:37:55] <Ge0rG> Why must everything be a SASL mechanism?
[14:38:27] <Dave Cridland> Ge0rG, Because it's an authentication, and that's where authentications live in XMPP.
[14:39:12] <Ge0rG> So it requires to re-login to enter the unlock code?
[14:39:36] <Dave Cridland> Ge0rG, No, an unlock code *is* an authentication.
[14:41:05] *** Dave Cridland has left the room
[14:41:08] *** Dave Cridland shows as "online"
[14:41:41] *** Dave Cridland has left the room
[14:41:54] *** Dave Cridland shows as "online"
[14:42:05] <Ge0rG> Dave Cridland: oh, maybe I have a different understanding of that term then.
[14:43:20] <Dave Cridland> Ge0rG, Well, let me put it this way. After entering an unlock code, the system then trusts you sufficiently that it'll let you reset passwords, reconfigure TOTP, etc. That means presumably it trusts that you are who you claim to be, which means an authentication must have occured by definition.
[14:44:10] *** SamWhited shows as "online"
[14:44:17] <Ge0rG> Dave Cridland: I was thinking about "unlock" in the sense that your account gains additional permissions after verifying that you have read access to that email address.
[14:45:00] <Ge0rG> Dave Cridland: what you are describing sounds like a password|credentials reset mechanism, which of course _is_ an authentication
[14:45:06] <Dave Cridland> Ge0rG, Ah, I see. No, I was meaning the codes to unlock/recover an account when the TOTP is lost.
[14:45:20] <Ge0rG> so maybe "account recovery" would be a better term, then
[14:46:16] <Dave Cridland> Ge0rG, Yeah, probably.
[14:47:22] <Ge0rG> marc and I are working on a quick&dirty solution to a similar problem, where you have an initial token that you use to complete an account registration, and our plan was to stuff it into an additional IBR element.
[14:47:38] <Ge0rG> Though I must admit I don't particularly like that approach.
[14:48:19] <Ge0rG> Technically speaking, the account already exists with a given user name but without a password, and that approach allows a client to re-use the IBR flow to set a user-defined password.
[14:48:27] <Ge0rG> This is pretty similar to account recovery, though.
[14:49:06] <marc> Ge0rG, didn't follow the discussion but the account doesn't exists in my approach
[14:49:26] <Ge0rG> marc: how do you ensure that nobody else registers the same account?
[14:49:37] <marc> Ge0rG, checking :)
[14:49:46] <Ge0rG> marc: this answer is insufficient.
[14:50:06] <marc> Ge0rG, for user invitation you don't have the problem
[14:50:23] <marc> for account creation the account name is reserved
[14:50:44] *** Holger has left the room
[14:50:49] <Ge0rG> marc: the easiest way to reserve an account name is to regiser that account, isn't it?
[14:51:04] <marc> Ge0rG, no, because the invitation may expire
[14:51:15] <marc> account creation
[14:51:23] <Ge0rG> Ah, right.
[14:51:42] <marc> Puh, I expected a big discussion :D
[14:53:29] <marc> I should write this down right now...
[14:54:11] <marc> Ge0rG, btw, we still need the ibr=true query parameter, right?
[14:54:45] <Ge0rG> marc: yes
[14:54:55] <marc> okay, good
[14:56:10] <jonasw> marc, how’s your progress on submitting the protoxep?
[14:56:35] <marc> jonasw, what does submitting mean? Official submitting or publishing it on my web server?
[14:56:41] <jonasw> marc, the former
[14:56:46] <jonasw> a PR to the xeps repo
[14:56:50] *** moparisthebest shows as "online"
[14:57:00] <Guus> For those that are interested: I've send out the summit / fosdem hotel group discount details and registration form to the summit mailing list.
[14:57:12] *** vanitasvitae has left the room
[14:57:32] <marc> I don't know how a protoXEP should look like before submitting it
[14:58:19] <jonasw> marc, if it’s implementable, that’s already quite good. basic readability, a set of requirements you want to achieve, a basic motivation and of course a protocol description.
[14:58:52] *** vanitasvitae has joined the room
[15:00:23] *** vanitasvitae has left the room
[15:00:29] <Ge0rG> The end is nigh! https://techcrunch.com/2018/01/08/telegram-open-network/
[15:01:46] <mathieuii> "Durov’s idea is to launch an entirely new blockchain" send help
[15:02:31] <marc> jonasw, I need a better motivation and probably some other stuff is missing
[15:02:40] <marc> jonasw, I try to push it to my webserver tomorrow
[15:03:04] <marc> So you guys can look at it, give some feedback before pushing it to xsf repo
[15:03:38] <Ge0rG> marc: I can help you writing some sections. Just give me a git 😜
[15:03:39] <jonasw> I feel that this feedback should happen in official protoxep or even experimental state.
[15:04:12] <Ge0rG> I've submitted the astonishing number of 1 xeps already.
[15:04:23] <marc> jonasw, I don't think so because I expect that there will be some really basic mistakes etc.
[15:04:30] <jonasw> marc, don’t worry about that
[15:04:41] <marc> Ge0rG, will give you a Git tomorrow I think
[15:05:03] <jonasw> this will help ironing out those mistakes. if it is too bad for Experimental status (which I don’t think), you can still refine it
[15:05:04] <Ge0rG> marc: 👍🏽
[15:06:28] *** hannes has joined the room
[15:07:17] *** ralphm has joined the room
[15:11:42] *** Dave Cridland has left the room
[15:11:44] *** Dave Cridland shows as "online"
[15:11:48] *** Dave Cridland has left the room
[15:12:01] *** Dave Cridland shows as "online"
[15:16:18] *** daniel has left the room
[15:16:28] *** daniel has joined the room
[15:21:44] <Dave Cridland> jonasw, +1 to that.
[15:21:52] *** Kev shows as "online"
[15:21:58] <Dave Cridland> Or more generally, if it's worth working on, it's worth submitting.
[15:24:07] <zinid> Ge0rG,
> Durov and his brother Nikolai Durov, a mathematical genius
I lol'd. Who wrote this?
[15:24:24] <Ge0rG> zinid: probably a journalistics genius.
[15:25:14] *** ralphm has joined the room
[15:26:13] <Dave Cridland> Man, that's one seriously transparent Poniz scheme.
[15:26:18] <Dave Cridland> Man, that's one seriously transparent Ponzi scheme.
[15:27:45] <Dave Cridland> "Its proof of stake approach will reach consensus through a variant of the ‘Byzantine Fault Tolerant’ protocol, again increasing speed and efficiency." - erm, BFT algorithms are universally slower than normal consensus algorithms. Pretty sure that normal Bitcoin is BFT as well. Also BFT is a property not a protocol.
[15:29:18] <zinid> of course BFT is slower, especially the one with timeouts
[15:29:50] <Ge0rG> Now stop bashing the Durovs and let's focus on our own ICO! JabberCoin!
[15:30:05] *** daniel has left the room
[15:30:13] *** daniel has joined the room
[15:30:28] <Ge0rG> I even have a motto for it already: "The brightest light [or lamp?] in crypto moneys!"
[15:30:34] <intosi> XeptoCoin?
[15:33:45] <moparisthebest> introducing, JabberCoin! (5 minutes later, sued to death by cisco...)
[15:34:18] <zinid> there is already a shitcoin
[15:34:20] <Ge0rG> Oh, right. That trademark thing.
[15:34:31] <Ge0rG> zinid: so we make a JIDcoin
[15:34:40] <moparisthebest> zinid, a ? like only 1 ?
[15:34:42] <Dave Cridland> moparisthebest, The XSF can license us, though.
[15:35:15] <Ge0rG> Dave Cridland: I'm not sure we can have something that starts with "jabber" and is a commercial entity from the XSF.
[15:35:22] <zinid> moparisthebest, https://github.com/shitcoin/shitcoin
[15:35:25] <Ge0rG> From my last reading of the terms, it needs Cisco approval.
[15:35:49] *Ge0rG ,oO( Initial Github Offering? )
[15:37:39] <zinid> created a bug report: https://github.com/shitcoin/shitcoin/issues/6
[15:37:50] <moparisthebest> zinid, I'd give that coin an award for truth in advertising
[15:38:03] <Dave Cridland> Ge0rG, Yes, you're right.
[15:38:38] <Ge0rG> Dave Cridland: that's almost the only thing stopping me from creating the Jabber Software Foundation. That, and a lack of volunteers.
[15:38:57] *** marc has left the room
[15:39:06] *** marc shows as "online"
[15:39:57] <Dave Cridland> Ge0rG, If it's non-profit you could.
[15:40:37] <Ge0rG> Dave Cridland: I can't even get people to sign my anti-spam manifesto. How am I supposed to build up a Foundation?
[15:41:31] <zinid> what manifesto?
[15:41:46] <moparisthebest> Starting from the bottom usually
[15:42:03] <Ge0rG> zinid: https://gist.github.com/ge0rg/2e4accf6950821ca45f743fdf587c08e
[15:42:13] *** Dave Cridland has left the room
[15:42:17] *** Dave Cridland shows as "online"
[15:42:19] *** Dave Cridland has left the room
[15:42:28] <Dave Cridland> Ge0rG, With your natural charisma?
[15:42:32] *** Dave Cridland shows as "online"
[15:44:22] <zinid> not sure what is the goal of the manifesto
[15:44:27] <zinid> to reach a consensus?
[15:44:42] <Ge0rG> zinid: to make a public statement about blocking and shaming abandoned servers.
[15:44:47] <MattJ> To reach a long list of good spam-free servers
[15:44:48] <moparisthebest> zinid: get major server admins to agree?
[15:44:56] <zinid> ok, and what practical implications?
[15:45:01] <jonasw> Ge0rG, where did you even advertise that?
[15:45:13] <Ge0rG> jonasw: the manifesto? I asked some server admins so far
[15:45:21] <MattJ> zinid, if you're not on the list, people may limit/filter/block traffic from your server
[15:45:23] <moparisthebest> jonasw agreed to operate an rbl right? :)
[15:45:35] <zinid> MattJ, nice 🙂
[15:45:58] <zinid> but what if I don't run a public server? I'll be blocked too?
[15:46:17] <MattJ> If you don't originate spam, I doubt it :)
[15:46:27] <jonasw> moparisthebest, I did
[15:47:26] <Ge0rG> XMPP spam is Russian. zinid is Russian. Might get blocked by accident.
[15:47:36] <jonasw> :>
[15:47:42] <jonasw> block ru TLD, be done with spam ;-)
[15:48:09] <Ge0rG> jonasw: no, they are using IBR servers all over the world. Need to block cyrillic letters instead.
[15:48:27] <jonasw> I wasn’t serious anyways
[15:48:31] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[15:48:34] <moparisthebest> jonasw, re: rbl, someone mentioned not-dns but can you imagine the beefy xmpp server you'd have to host to accept s2s from all other xmpp servers? 😕 vs tiny resources of a dns server, or use cloudflare ...
[15:48:49] <jonasw> moparisthebest, yeah, dns it’ll be
[15:49:08] <jonasw> I’ll also run this on a dedicated machine. I expect some trouble out of it.
[15:49:22] <Ge0rG> jonasw: you should run it on a dedicated uplink then.
[15:49:28] <jonasw> Ge0rG, that’s my ISPs job :>
[15:49:31] <Ge0rG> in a dedicated data center.
[15:49:35] <Ge0rG> on a dedicated Internet.
[15:49:37] <jonasw> they have DDoS-protection
[15:49:43] <jonasw> at least they advertise it
[15:50:03] <moparisthebest> you could just let a big DNS provider take care of it for you
[15:50:17] <jonasw> moparisthebest, thought of that, but I wonder how well updates would work with that
[15:50:23] <moparisthebest> cloudflare, hurricane electric, I'm sure there are other free ones
[15:50:30] <moparisthebest> cloudflare has an API at least
[15:50:52] <jonasw> I don’t like cloudflare
[15:50:53] <Ge0rG> you could run a hidden primary and have some provider run the secondaries.
[15:51:02] <moparisthebest> jonasw, another, yep what Ge0rG said
[15:51:03] <jonasw> Ge0rG, that sounds like a good plan.
[15:51:28] *** daniel has left the room
[15:51:33] *** daniel has joined the room
[15:52:22] <zinid> Ge0rG, do you have s2s dialback enabled on yax.im?
[15:52:30] *** jere has joined the room
[15:52:42] <moparisthebest> jonasw, for my domains I run hidden primary and use these 3 providers (4 dns servers total) for "secondary" https://freedns.afraid.org/secondary/ https://puck.nether.net/dns/dnsinfo https://acc.rollernet.us/dns/secondary.php
[15:53:06] <moparisthebest> only ones I could find that support everything I needed, dnssec and such too
[15:53:22] <Ge0rG> zinid: yes I do
[15:53:39] *** daniel has left the room
[15:53:50] *** daniel has joined the room
[15:53:58] *** Dave Cridland shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[15:54:33] <Ge0rG> moparisthebest: do you have stats from them?
[15:54:40] *Ge0rG is looking for a new secondary for some zones
[15:54:53] <jonasw> Ge0rG, I’ll be happy to :)
[15:54:54] <moparisthebest> Ge0rG, what kind of stats?
[15:55:00] <jonasw> but no guarantees :)
[15:55:05] *** daniel has left the room
[15:55:13] *** daniel has joined the room
[15:55:26] <Ge0rG> moparisthebest: reliability, speed of zone propagation, such things.
[15:55:36] *** Dave Cridland shows as "online"
[15:55:49] *Ge0rG has been using the freendns dyndns service for some 15 years now
[15:55:52] <moparisthebest> Ge0rG, so 2 of the 3 providers support the push thing so zone propagation is instant
[15:56:07] <jonasw> unfortunately, cloudflare thinks that DNS secondary is an enterprise solution :/
[15:56:09] <moparisthebest> I want to say puck.nether.net is the one that takes up to like 10 minutes
[15:56:36] <moparisthebest> but as to the rest, I've been using them for years and never noticed any of them being down (I run a script hourly to check)
[15:56:49] <Ge0rG> moparisthebest: great!
[15:56:56] <moparisthebest> which, is good enough for me, that's why I have 3 different providers and 4 servers 😛
[15:57:05] <moparisthebest> the likliehood all 3 are ever down seems slim
[15:58:02] <jonasw> anyways, gotta go
[15:58:02] *** jonasw shows as "away"
[15:58:05] *** daniel has left the room
[15:58:12] *** daniel has joined the room
[15:59:17] *** Holger shows as "online" and his status message is "I'm available"
[15:59:24] *** Kev shows as "away"
[16:00:48] *** daniel has left the room
[16:00:56] *** daniel has joined the room
[16:01:18] *** winfried shows as "online"
[16:02:46] *** zinid shows as "online"
[16:04:11] *** daniel has left the room
[16:04:18] *** daniel has joined the room
[16:05:06] <Ge0rG> Monal. Will create an individual notification for each message in a conversation. Won't delete any if you respond from the PC.
[16:07:16] *** vanitasvitae has joined the room
[16:08:49] *** ralphm has joined the room
[16:10:44] <moparisthebest> Ge0rG, this is a good one too (multicast) but no dnssec 😢 https://system-ns.com/services/secondary
[16:10:48] *** daniel has left the room
[16:10:56] *** daniel has joined the room
[16:11:08] <moparisthebest> in fact I have a HUGE list of free secondaries that do not do dnssec if you want that I can send that to you somewhere else
[16:11:09] *** winfried shows as "away" and his status message is "sssssttttt! my computer fell asleep"
[16:11:52] <Ge0rG> moparisthebest: not that I would care about DNSSEC, with the sad .IM situation
[16:12:11] <moparisthebest> yea, what happened with that?
[16:12:23] <moparisthebest> last I heard they said they would add support, which had to have been years ago
[16:12:38] <Ge0rG> moparisthebest: really? Last thing I heard was "not on the agenda"
[16:12:42] *** Dave Cridland has left the room
[16:12:45] *** Dave Cridland shows as "online"
[16:12:48] *** Dave Cridland has left the room
[16:12:55] <Ge0rG> And that was when DLV was still a thing
[16:12:56] *** Alex has joined the room
[16:12:59] *** Dave Cridland shows as "online"
[16:13:30] <moparisthebest> I thought someone from here contacted them
[16:13:35] <Ge0rG> moparisthebest: I did
[16:13:58] <Ge0rG> moparisthebest: last time in 2015, "Unfortunately as per our previous correspondence there is still no movement regarding your query."
[16:15:29] <moparisthebest> Currently .im zone does not support DNSSEC, which will eventually make it a more secure and robust. You can help convince .im authorities to support DNSSEC by sending email to the special address dnssec@nic.im.
[16:15:43] <moparisthebest> wonder if that email still exists, also, you should bug them again Ge0rG 😛
[16:16:04] <Ge0rG> I've lost my hope in DNSSEC
[16:16:05] <moparisthebest> nowadays I don't buy domains unless they have full dnssec support 😢
[16:16:15] <moparisthebest> at least all the new ones are required to have it
[16:18:16] *** winfried shows as "online"
[16:18:46] *** lumi shows as "away" and his status message is "(Idle 10 min)"
[16:18:55] *** marc has left the room
[16:19:37] *** suzyo has joined the room
[16:21:37] *** xnyhps shows as "away" and his status message is "Away"
[16:21:38] *** daniel has left the room
[16:21:43] *** efrit has left the room
[16:21:44] *** marc has left the room
[16:22:25] *** daniel has joined the room
[16:23:22] *** lskdjf shows as "online"
[16:23:25] *** Kev has left the room
[16:25:18] *** vanitasvitae has left the room
[16:25:30] *** georg has joined the room
[16:26:11] *** Kev shows as "online"
[16:26:54] <Ge0rG> Sigh. Clients that ignore the bookmarked nickname for 300.
[16:28:01] <Ge0rG> And then a gazillion popups from ChatSecure. Looks like it does MUC MAM too, now.
[16:29:10] *** ralphm has joined the room
[16:32:18] *** vanitasvitae has joined the room
[16:33:58] *** georg has left the room
[16:34:06] *** vanitasvitae has left the room
[16:34:36] *** efrit has joined the room
[16:36:08] *** vanitasvitae has joined the room
[16:36:24] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 15 Minuten)"
[16:36:24] *** vanitasvitae shows as "online"
[16:36:25] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 15 Minuten)"
[16:36:25] *** vanitasvitae shows as "online"
[16:39:55] *** Ge0rG shows as "online"
[16:43:25] *** suzyo has joined the room
[16:44:23] *** Dave Cridland has left the room
[16:44:27] *** Dave Cridland shows as "online"
[16:44:30] *** Dave Cridland has left the room
[16:44:41] *** Dave Cridland shows as "online"
[16:44:42] *** daniel has left the room
[16:44:50] *** daniel has joined the room
[16:46:12] *** @Alacer shows as "online"
[16:46:28] *** xnyhps shows as "away" and his status message is "Away"
[16:46:36] *** xnyhps shows as "online"
[16:46:36] *** @Alacer has left the room
[16:48:27] *** xnyhps shows as "online"
[16:48:53] *** xnyhps shows as "online"
[16:55:51] *** blabla shows as "online"
[17:00:00] *** xnyhps shows as "online"
[17:00:20] *** xnyhps shows as "online"
[17:00:32] *** xnyhps shows as "away" and his status message is "Away"
[17:01:32] *** xnyhps shows as "away" and his status message is "Away"
[17:03:01] *** blabla has left the room
[17:05:40] *** Syndace has joined the room
[17:08:46] *** lumi shows as "xa" and his status message is "(Idle 60 min)"
[17:10:53] *** Syndace has left the room
[17:10:57] *** Syndace has joined the room
[17:12:05] *** daniel has left the room
[17:12:40] *** daniel has joined the room
[17:14:01] *** Holger shows as "away" and his status message is "I'm away"
[17:14:20] *** winfried shows as "away" and his status message is "sssssttttt! my computer fell asleep"
[17:15:38] *** Dave Cridland has left the room
[17:15:41] *** Dave Cridland shows as "online"
[17:18:06] *** lumi shows as "online"
[17:19:37] *** suzyo has joined the room
[17:21:31] *** winfried shows as "online"
[17:25:25] <Kev> Ge0rG: I have put XMPP2 onto the Summit agenda. I don't know if you'll be there, but I'll be covering it if you're not.
[17:25:33] *** jere has joined the room
[17:25:38] *** ralphm has joined the room
[17:25:52] <Ge0rG> Kev: I think the most probable outcome is me tele-participating.
[17:26:09] <Ge0rG> Even though I always only get 30% through WebEx :(
[17:26:24] <Ge0rG> Kev: have you written down any proto-XEP yet?
[17:26:44] <Kev> I was hoping to get the Informational thing submitted before the summit, but that's looking very tight now. We'll see.
[17:26:48] <Kev> Right, I was just typing that :)
[17:26:53] <Ge0rG> Kev: Also, I think last time we limited the scope from XMPP2 down to message routing 2
[17:27:23] *** Guus shows as "online"
[17:28:00] <Kev> I think we need to cover more than just message routing 2, to be able to advance various things.
[17:28:06] *** daniel has left the room
[17:28:10] *** daniel has joined the room
[17:28:40] <Ge0rG> Kev: various things are good, right?
[17:29:44] <Kev> I don't know which of the possible meanings of that you intend.
[17:30:51] <Ge0rG> Kev: I hope I can take the time to actually do my presentation; maybe that would be a good prequel to your XMPP2?
[17:31:33] <Ge0rG> Kev: I'm not quite sure what you think needs solving beyond message routing in XMPP2, so I've lost track of the scope of our discussion now.
[17:31:56] <Kev> Multi-device sync.
[17:32:06] <Kev> Of which message routing is a subset, I think.
[17:33:09] <Kev> I think bind2/sasl2 are part of this too, although maybe they don't currently need discussion.
[17:33:17] *** Dave Cridland shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[17:33:41] <Ge0rG> Kev: I'd consider multi-device sync as part of the message routing problem.
[17:33:52] <Kev> No, definitely the other way around :)
[17:34:08] <Kev> Because sync involves both history fetching and read-state synchronising, neither of which is routing :)
[17:34:25] <Ge0rG> it's routing to the archive and from the archive ;)
[17:34:42] <Ge0rG> but it's all part of the same problem, and "multi-device sync" is as good a name as anything.
[17:35:06] <Kev> It also *might* include highlighting notifications potentially.
[17:35:16] *** intosi shows as "online"
[17:35:24] <Kev> Although that is strictly distinct and can be worked on separately.
[17:35:35] *** ralphm shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[17:35:51] <Ge0rG> Kev: there is some overlap. And some other overlap with push.
[17:36:03] <Kev> There is *huge* overlap with push.
[17:36:17] <Ge0rG> Except when E2EE is involved.
[17:36:20] <Kev> Push is essentially just one instance of highlight/notifications.
[17:36:41] <Ge0rG> Well, you might be right on that one.
[17:37:39] *** ralphm shows as "online"
[17:37:47] <moparisthebest> Can xmpp 2 ditch STARTLS also?
[17:38:14] <Kev> I think that's roughly orthogonal, isn't it?
[17:38:23] <Ge0rG> Kev: except in the current ISR spec
[17:38:34] <Ge0rG> where there is a `location` pointer to a direct-TLS server.
[17:40:12] <moparisthebest> Kev: well if the goal is to make things quicker no
[17:40:29] *** intosi shows as "away" and his status message is "Away"
[17:40:43] <Kev> moparisthebest: That isn't the goal of this in general, no.
[17:40:58] <moparisthebest> One srv query is better than two, plus TLS goodies like 0rtt , fast start etc etc
[17:41:25] <moparisthebest> Or if the goal is to reduce legacy at all
[17:41:46] <Kev> Yes, not arguing that going back to 'xmpps' isn't sensible, but I don't see that as part of the same problem.
[17:41:54] <Kev> No, reducing legacy isn't an aim in itself.
[17:43:17] *** Dave Cridland shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[17:43:23] *** Dave Cridland shows as "online"
[17:43:37] <moparisthebest> Well like Ge0rG said isr requires direct TLS, if you don't drop STARTLS all new servers need to support both
[17:43:39] <zinid> everyone went back to xmpps already, after configuring direct-tls on my server, all my clients automatically switched on it (dino and conversations)
[17:43:50] <moparisthebest> Seems like a small beneficial change to me
[17:44:42] *** bear has left the room
[17:44:51] <moparisthebest> And so I hear gajim 1.0 beta zinid
[17:45:33] <zinid> all the more so
[17:45:33] *** Guus has left the room
[17:45:34] *** Guus shows as "online"
[17:45:57] <Kev> moparisthebest: We can't drop STARTTLS for as long as we have 6120. Which I've no interest in replacing.
[17:46:48] *** bear has joined the room
[17:46:50] *** bear shows as "away" and his status message is "Away"
[17:47:30] <moparisthebest> ah I thought this was the push to new RFC
[17:47:46] <moparisthebest> the new routing rules don't conflict?
[17:48:19] *** tux has joined the room
[17:50:57] *** ralphm shows as "online"
[17:51:30] <zinid> 6120 is okayish, it's 6121 which should be replaced, IMO
[17:52:46] *** ralphm shows as "online"
[17:54:14] *** zinid has left the room
[17:54:26] <Kev> I don't think there's any fundamental issues in 6120. I was just noting that 6120 requires starttls, so things need to keep implementing it.
[17:54:43] <Kev> And yes, chunks of 6121 needs overriding.
[17:55:24] *** jjrh has left the room
[17:55:27] *** jjrh shows as "online"
[17:56:32] *** Guus has left the room
[17:59:44] *** intosi shows as "away" and his status message is "Away"
[17:59:48] *** intosi shows as "online"
[18:01:48] *** Dave Cridland has left the room
[18:01:51] *** Dave Cridland shows as "online"
[18:03:58] <moparisthebest> then I guess that'd be a different effort, but it would be nice to kill startls (and therefore possibility of un-encrypted connections) and any mention of dialback in 6120 at least
[18:05:08] *** @Alacer has left the room
[18:05:23] *** jonasw shows as "online"
[18:05:35] *** lumi shows as "away" and his status message is "(Idle 10 min)"
[18:07:30] *** Kev shows as "away"
[18:07:37] *** Dave Cridland has left the room
[18:07:39] *** Dave Cridland shows as "online"
[18:08:43] <zinid> I think dialback makes sense, not every admin understands PKIX currently
[18:09:22] <moparisthebest> wow then they need to stop being an admin
[18:09:36] <moparisthebest> retire, start another career they can do
[18:09:46] <zinid> that's rude
[18:09:54] <Ge0rG> Potato farming is a thing
[18:10:07] <moparisthebest> you don't need to have a full understanding of everything involved in PKIX or anything
[18:10:11] *** ralphm shows as "online"
[18:10:11] <zinid> I kinda agree, but don't want to lose customers 😉
[18:10:24] <zinid> moparisthebest, I don't say "full"
[18:10:33] <moparisthebest> but if you don't understand how to get/use a TLS certificate in 2018, then you should not be an admin of any type of server
[18:10:51] *** Dave Cridland shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[18:11:01] *** la|r|ma shows as "online"
[18:11:02] <zinid> so your solution is to replace admins?
[18:11:12] *** efrit has left the room
[18:11:21] <moparisthebest> I haven't met an admin that couldn't do it
[18:11:34] <moparisthebest> if such an admin exists and refuses to learn, yes, replace them
[18:12:05] *** lumi shows as "online"
[18:12:29] <zinid> moparisthebest, the problem is that XSF cannot replace admins
[18:13:07] *** ralphm has left the room
[18:13:08] <moparisthebest> it's getting impossible to run http without https, if it's good enough for http, it's surely good enough for xmpp
[18:13:20] <zinid> impossible?
[18:13:27] <zinid> how that? I run it without https
[18:13:42] <moparisthebest> it's *getting* impossible
[18:13:57] <zinid> but not impossible so far
[18:14:06] <moparisthebest> you are missing out on all the new features, and are guaranteed to never get new features (new compression, like brotli, http2, etc etc)
[18:14:20] <moparisthebest> *and* soon browsers will issue ugly 'insecure' warnings
[18:14:32] *** Steve Kille shows as "online" and his status message is "Hampton"
[18:14:33] *** Steve Kille shows as "online" and his status message is "Hampton"
[18:14:41] <zinid> yeah, the dream of cryptobitches
[18:14:58] <Zash> I hope you enjoy the future where you must get permission from some authority to host a website.
[18:16:04] *** Kev shows as "online"
[18:16:08] *** intosi shows as "online"
[18:16:10] <zinid> Zash, only a restricted list of authorities 😉
[18:16:13] *** @Alacer has joined the room
[18:16:25] <moparisthebest> you can self-sign just like always
[18:16:34] <Zash> Ha, good luck with that
[18:16:36] <moparisthebest> just import it into your trusted CA list on every machine 😛
[18:16:42] <zinid> moparisthebest, but self-sign doesn't work already
[18:17:10] <zinid> also, dialback resolves the issue: you can self-sign
[18:18:30] <Zash> Dialback is pretty terrible tho
[18:19:04] *** moparisthebest shows as "online"
[18:19:56] <moparisthebest> I think dnssec+dane solves the issue without CAs too right?
[18:20:06] <Ge0rG> I love how browsers have made self-signed SSL appear less secure than plain-text HTTP.
[18:20:14] <moparisthebest> not for you poor .im victims
[18:20:19] <moparisthebest> but for normal people 🙂
[18:20:22] <Zash> Browsers hate DANE, so good luck with that
[18:20:36] <moparisthebest> I meant for xmpp
[18:20:40] <moparisthebest> as a dialback alternative
[18:20:51] *** Dave Cridland shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[18:21:21] *** intosi shows as "away" and his status message is "Away"
[18:22:44] *** Zash shows as "online"
[18:23:45] *** Guus shows as "online"
[18:24:52] *** Zash has left the room
[18:25:08] *** jonasw shows as "online"
[18:25:53] *** marc has joined the room
[18:26:54] *** Steve Kille has left the room
[18:26:54] *** Steve Kille has left the room
[18:28:21] *** Dave Cridland shows as "online"
[18:29:24] *** jjrh has left the room
[18:30:04] *** jjrh shows as "online"
[18:30:28] *** jjrh has left the room
[18:30:39] *** Kev shows as "away"
[18:31:16] *** Zash has left the room
[18:32:00] *** Dave Cridland has left the room
[18:32:00] *** jjrh shows as "online"
[18:32:12] *** Dave Cridland shows as "online"
[18:32:25] *** Zash shows as "online"
[18:32:47] *** hannes has joined the room
[18:34:34] <moparisthebest> Ge0rG, yea they are in the process of fixing that , already as of oct 2017 any http sites with forms are marked 'not secure' https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
[18:36:05] *** Steve Kille has joined the room
[18:36:05] *** Steve Kille shows as "away" and his status message is "Hampton"
[18:36:14] <Ge0rG> moparisthebest: but they haven't fixed SRVid certs
[18:36:42] <moparisthebest> that's only an xmpp problem though right?
[18:36:58] <Ge0rG> moparisthebest: no, it's a non-web problem.
[18:37:24] <moparisthebest> what else uses SRV and enforces valid TLS certs?
[18:38:06] <jonasw> moparisthebest, I think mumble can do both
[18:38:52] *** Steve Kille shows as "online" and his status message is "Hampton"
[18:40:02] *** Steve Kille shows as "online" and his status message is "At Home"
[18:40:08] *** Dave Cridland has left the room
[18:40:11] *** Dave Cridland shows as "online"
[18:42:09] *** Dave Cridland has left the room
[18:42:11] *** Dave Cridland shows as "online"
[18:42:56] <Ge0rG> So how can I test Direct-TLS before activating the SRV records?
[18:43:21] <moparisthebest> Ge0rG, openssl s_client ?
[18:45:57] *** Dave Cridland shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[18:46:18] <Ge0rG> SRV is used by LDAP, SIP and... *Minecraft*!
[18:46:51] <moparisthebest> but I think most don't enforce valid TLS
[18:47:08] *** jjrh has left the room
[18:47:28] *** jjrh shows as "online"
[18:47:30] *** jjrh has left the room
[18:47:35] *** jjrh shows as "online"
[18:48:01] <moparisthebest> Ge0rG, I think you'd test it like openssl s_client -connect xmpps.conversations.im:443 -servername conversations.im -alpn xmpp-client
[18:48:27] *** winfried shows as "away" and his status message is "sssssttttt! my computer fell asleep"
[18:48:50] *** jjrh has left the room
[18:48:56] *** Dave Cridland has left the room
[18:48:58] *** Dave Cridland shows as "online"
[18:49:02] *** Dave Cridland has left the room
[18:49:07] *** marc has left the room
[18:49:13] *** Dave Cridland shows as "online"
[18:49:13] *** jjrh shows as "online"
[18:49:19] <Ge0rG> I think prosody will ignore the alpn part.
[18:49:34] *** jjrh has left the room
[18:49:36] *** uc has joined the room
[18:49:40] *** jjrh shows as "online"
[18:49:47] *** jjrh has left the room
[18:50:01] <moparisthebest> sslh in front of it might not though
[18:50:03] *** jjrh shows as "online"
[18:50:17] <moparisthebest> -servername and -alpn may not be needed depending on server setup
[18:50:45] <Ge0rG> But yeah, got it now. If I don't send a proper stream header, it will fall back to HTTPS
[18:52:19] *** jjrh has left the room
[18:54:05] *** jjrh shows as "online"
[18:54:30] <Ge0rG> _xmpps-client._tcp.yax.im has SRV record 5 1 443 xmpp.yaxim.org.
[18:54:34] <Ge0rG> Let's see how it works out.
[18:54:57] <moparisthebest> does yaxim (the client) support that now?
[18:55:28] *** jjrh has left the room
[18:55:57] *** Dave Cridland shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[18:55:57] *** georg has joined the room
[18:56:04] *** jjrh shows as "online"
[18:56:05] <Ge0rG> moparisthebest: no :(
[18:56:11] *** georg has left the room
[18:56:43] *** jjrh has left the room
[18:56:44] <moparisthebest> well if you add support watch the srv fallback logic, all 3 clients I've seen with support initially were broken on at least invalid xml being returned 🙂
[18:57:06] <moparisthebest> I need to setup like bad.example.org for some test cases or something, one day
[18:57:13] *** jjrh shows as "online"
[18:58:07] *** Syndace has left the room
[18:58:14] *** uc has joined the room
[18:58:27] *** winfried shows as "xa" and his status message is "sssssttttt! my computer fell asleep"
[18:59:04] *** ralphm has joined the room
[18:59:21] *** jjrh has left the room
[19:01:27] *** jjrh shows as "online"
[19:03:04] <jonasw> define broken
[19:03:29] *** Zash has left the room
[19:04:15] *** Syndace has joined the room
[19:04:42] <moparisthebest> jonasw, well, most fell back only if TCP connect to port failed, invalid TLS cert would be a different error and would abort switching to next SRV record
[19:04:53] <moparisthebest> or invalid XML would abort the attempts
[19:05:08] <moparisthebest> things like that
[19:05:23] <Ge0rG> So my server is slowly accepting more and more connections on :443.
[19:05:31] *** Syndace has left the room
[19:05:38] *** Syndace has joined the room
[19:06:04] <moparisthebest> Ge0rG, how do you have it set up? I can't tell from my end
[19:06:30] <moparisthebest> usually I'd just 'openssl s_client -connect 212.21.75.16:443 -servername yax.im -alpn xmpp-client', type something, hit enter, and either get junk from nginx or prosody 🙂
[19:06:31] <Ge0rG> moparisthebest: mod_net_multiplex on :443
[19:06:41] <moparisthebest> I don't get anything from your server though
[19:06:51] <Ge0rG> moparisthebest: give it a valid XML stream
[19:07:06] <Ge0rG> It's been enabled for a year, but I never managed to test and add the SRV record.
[19:07:21] *** Syndace has left the room
[19:07:25] *** Syndace has joined the room
[19:08:27] *** jjrh has left the room
[19:08:28] <moparisthebest> hmm I can't find any docs on that module, didn't know it existed
[19:08:59] <Flow> moparisthebest: so an invalid cert should be ignored and the next SRV RR tried?
[19:09:17] <moparisthebest> Flow, I think so, why not?
[19:09:25] *** jjrh shows as "online"
[19:10:11] *** jjrh has left the room
[19:10:11] <Flow> moparisthebest, dunno, do browser try a different A/AAAA RR if the cert is invalid?
[19:10:30] <moparisthebest> probably not, but those aren't SRV records where you *should* try next
[19:10:49] *** jjrh shows as "online"
[19:10:51] <Flow> well only by priority
[19:11:16] <Flow> and it's also debatable if an invalid cert should trigger a fallback
[19:11:34] <Flow> but if that's what we want, then xep368 should mention it
[19:12:04] <moparisthebest> what about invalid xml ?
[19:12:21] <moparisthebest> I actually don't know, it should follow same rules as normal starttls srv fallback I guess
[19:13:12] <moparisthebest> https://tools.ietf.org/html/rfc6120#section-3.2.1 "6. If the initiating entity fails to connect using that IP address
but the "A" or "AAAA" lookups returned more than one IP address,
then the initiating entity uses the next resolved IP address for
that FDQN as the connection address."
[19:13:13] <Flow> I never saw such rules ;)
[19:13:26] <Flow> well those I saw
[19:13:30] <moparisthebest> I guess the debate is what 'fails to connect' means 🙂
[19:13:39] <moparisthebest> I would class any errors as a failure and fallback
[19:13:47] <moparisthebest> including invalid XML or invalid TLS cert=
[19:14:28] <Flow> anyway, SRV fallback on invalid cert would possibly be a good idea to aid cert migration or so
[19:15:04] <SamWhited> I disagree; SRV fallback should only happen if there are errors during the TCP connection. Afterwards you're done with SRV and can throw the records away, because you have a connection to a thing in the SRV record.
[19:15:10] <jonasw> moparisthebest, I’m not sure that "try another SRV record" is the appropriate course of action if one SRV records yields invalid XML...
[19:15:24] <moparisthebest> why not jonasw ?
[19:15:31] <jonasw> I’m just not sure :)
[19:15:34] <SamWhited> SRV/TCP connection and the application layer protocol are two different layers of the stack that shouldn't be mixed.
[19:15:35] <moparisthebest> if so xep-368 is useless and should be abandoned 😛
[19:15:36] <Flow> jonasw, "SRV records yields invalid XML"?
[19:15:46] *** pep. shows as "online"
[19:15:53] <jonasw> Flow, s/if one SRV records/if a server on a specific SRV record/
[19:16:03] <jonasw> moparisthebest, why?
[19:16:18] <moparisthebest> try any account on burtrum.org over ipv4 on any client that doesn't implement ALPN (dino for instance)
[19:16:31] <moparisthebest> it fails to connect, because if you don't send alpn, you get a non-xml response from nginx
[19:16:43] <jonasw> moparisthebest, you should have written that in the XEP
[19:16:49] *** xnyhps shows as "away" and his status message is "Away"
[19:16:54] <Flow> I'm usually a fan of fail fast, but after thinking some more about it: What can you loose by trying a lower priority SRV RR?
[19:16:55] <jonasw> clients do not have to set the ALPN. it thus has to work without it.
[19:16:58] *** xnyhps shows as "online"
[19:17:01] *** winfried shows as "online"
[19:17:06] <moparisthebest> right, I think it's in there
[19:17:37] <moparisthebest> Server operators should not expect multiplexing (via ALPN) to work in all scenarios and therefore should provide additional SRV record(s) that do not require multiplexing (either standard STARTTLS or dedicated direct XMPP-over-TLS).
[19:18:00] <moparisthebest> so I have additional SRV records that don't require ALPN, because I expect clients to fall back 🙂
[19:18:15] <jonasw> I think the error modes clients have to expect should be spelt out explicitly
[19:18:19] <SamWhited> "standard STARTTLS" uses a completely different set of SRV records, it's not part of normal SRV fallback. It requires making a different connection using a different record.
[19:18:22] <jonasw> I’m pretty sure that bad things™ happen with aioxmpp
[19:18:25] <jonasw> and probably no fallback
[19:18:35] <jonasw> SamWhited, it does, that’s specified in XEP-0368
[19:18:42] <SamWhited> jonasw: what does what?
[19:18:44] <moparisthebest> SamWhited, that xep suggests mixing them as if they are one set of SRV records
[19:18:50] <jonasw> SamWhited, it is (part of the normal SRV fallback), that’s specified in XEP-0368
[19:18:54] <Flow> what jonas said, the xep should mention it, especially since we have evindence that most developers forget about the fallback case(s)
[19:19:10] <SamWhited> Oh geeze, I thought that got taken out. That makes no sense and I will be ignoring it.
[19:19:13] <moparisthebest> when I wrote it I assumed fallback would just work, I had to make it work in conversations
[19:19:23] <moparisthebest> but yea I'm just now noticing clients not handling it well
[19:19:36] <jonasw> SamWhited, it’s "just" a SHOULD, but in fact the first point in the rules :)
[19:19:37] <moparisthebest> so I agree, that should be in implementation notes now 🙂
[19:19:39] *** Dave Cridland has left the room
[19:19:41] *** Dave Cridland shows as "online"
[19:20:06] <jonasw> moparisthebest, clients probably have very specific rules on what allows a fallback, with everything else leading to an explicit and early error fully out of the stack
[19:20:07] <moparisthebest> yes it used to be MUST but someone ( ralphm I think) pointed out they might want to JUST query xmpps-client
[19:20:11] <SamWhited> I doubt most DNS libraries will work that way, so unless you're willing to do some weird hackery or do your own SRV logic you're not going to be able to mix two different SRV record sets anyways (I suspect, admittedly, that's just a guess)
[19:20:21] <jonasw> are there DNS libraries which handle SRV logic? ;-)
[19:20:33] <jonasw> I had to roll that myself, too
[19:20:39] <moparisthebest> most I've seen give you a list, and you have to sort/try them yourself
[19:20:44] <jonasw> that
[19:21:04] <moparisthebest> but does anyone see harm in falling back in any type of 'non-success' ?
[19:21:10] <moparisthebest> or at least, invalid TLS or invalid XML
[19:21:12] <jonasw> yes.
[19:21:17] <moparisthebest> like where a connection is not established
[19:21:18] <jonasw> authentication failure is probably a bad idea to fall back on
[19:21:25] <jonasw> or lack of a (client-)required stream feature
[19:21:29] <moparisthebest> yes was going to say not that
[19:21:35] <Flow> jonasw: https://github.com/MiniDNS/minidns/blob/master/minidns-hla/src/main/java/de/measite/minidns/hla/ResolverApi.java#L183
[19:21:36] <moparisthebest> well, auth
[19:21:40] <SamWhited> Yah, I don't know what the issue would be, but I suspect mixing various layers of the stack like that will just lead to issues, possibly security issues.
[19:21:46] <moparisthebest> a lack of client-required stream feature, why not fall back?
[19:21:56] <moparisthebest> maybe the next server has what you are looking for?
[19:22:04] <jonasw> Flow, I can’t tell from the code whether that does the sorting?
[19:22:14] <Flow> jonasw, it does the right thing™
[19:22:15] <jonasw> moparisthebest, because the servers are supposed to be identical
[19:22:24] <moparisthebest> jonasw, why? where does it say that?
[19:22:29] <SamWhited> Or, at best, just make development *much* harder since you won't be able to separate your XMPP stuff from your SRV/DNS stuff.
[19:22:34] <Flow> (so sorting and taking weight into consideration)
[19:22:35] <jonasw> Flow, so it returns an iterable of SRV records which I can try in that order?
[19:22:43] <Flow> jonasw, yep
[19:22:43] <jonasw> Flow, okay
[19:22:51] *** xnyhps shows as "away" and his status message is "Away"
[19:22:59] <jonasw> does it select records from the same priority randomly or does it allow you to try multiple of the same priority?
[19:23:19] <jonasw> (when I asked about that a year ago or so, people suggested that trying all records from the same priority set on some errors would probably be a good idea)
[19:23:25] <Flow> hmm fallback on invalid XML and cert, yes, but on authentication failure? no…
[19:23:30] *** jjrh has left the room
[19:23:34] *** jjrh shows as "online"
[19:23:43] <moparisthebest> yea I think maybe that would be a sensible place to draw the line
[19:23:49] *** xnyhps shows as "away" and his status message is "Away"
[19:23:49] <jonasw> moparisthebest, it doesn’t make sense to me logically that the same identity would offer different stream features depending on the interface I use to connect to it
[19:23:55] <moparisthebest> if you get to authentication, quit, otherwise fallback
[19:24:04] <Flow> jonasw, I don't think that you are supposed to try multiple RRs from the same priority
[19:24:18] <moparisthebest> jonasw, why, maybe they run ejabberd on one server and prosody on the other and have some home-grown thing to connect them?
[19:24:45] <SamWhited> How does your SRV code know that you've gotten to auth or that there was an XML error? You're forcing much tighter coupling than is necessary by making application level errors affect behavior in the TCP layer
[19:24:59] *** valo has joined the room
[19:25:07] <jonasw> sure you could be doing that, with a lot of pain, it would probably work for a minute or two, but I don’t think that’s a case we should plan for. in the best case, it only delays the error from reaching the user, which can be for quite some time on a bad connection.
[19:25:24] <Flow> uhh, a heterogeneous xmpp server cluster, want!
[19:25:28] <moparisthebest> SamWhited, I think the sane system is your SRV code gives you a List<(ip, port, direct_tls_bool)> and then you try them in order?
[19:25:36] *** winfried shows as "away" and his status message is "sssssttttt! my computer fell asleep"
[19:25:47] <jonasw> SamWhited, my SRV code provides an iterable of connection options which are then tried in order (until either one succeeds or a fatal (e.g. authn-failed) error occurs)
[19:25:50] <moparisthebest> that's at least how conversations works
[19:25:50] <jonasw> the SRV code is over at that point
[19:25:57] <SamWhited> moparisthebest: what if my connection library is entirely self contained? (eg. the connection library I wrote which just "dials" an XMPP socket and hands you a raw TCP socket back to use)
[19:26:16] <moparisthebest> then you should rework that 😛
[19:26:16] <SamWhited> My SRV code does not touch or know anything about my XMPP code and I should be able to keep it that way; they're completely unrelated.
[19:26:37] <jonasw> SamWhited, I think your dial does too much
[19:26:41] <moparisthebest> I don't see anywhere where SRV says fallback only in the event of TCP not connecting
[19:26:48] <jonasw> users may have legitimate reasons to override the SRV lookup
[19:26:52] <jonasw> (e.g. during testing)
[19:26:59] <moparisthebest> not even rfc6120
[19:27:01] <jonasw> so having those two functions separate is definitely required
[19:27:17] <moparisthebest> it uses a vague 'fails to connect' language
[19:27:20] <jonasw> and once you’ve got there, you can properly decouple the two (srv lookup and dial) and provide a third which mixes both
[19:27:36] <jonasw> (i.e. iterates over the records and tries them until either success or fatal error, where not every error is fatal)
[19:27:50] <moparisthebest> in fact SRV couldn't say that, because it supports things other than TCP that don't have a defined 'connection'
[19:28:18] <SamWhited> I don't see how it's doing too much; you call dial and it looks up SRV records and tries them until it gets a valid connection then hands them back. That's about as simple and self-contained of a library as you can get.
[19:28:22] <moparisthebest> but regardless, sounds like we could use some good on-list discussion about proper SRV fallback behavior
[19:28:33] <jonasw> moparisthebest, that sounds sensible
[19:28:44] <moparisthebest> and then put some if not all of it in xep-368
[19:28:53] <SamWhited> If the end user wants to "override" SRV behavior they can pass a different socket into the XMPP library and not use the SRV dialing library
[19:28:54] <moparisthebest> I guess waiting so long before final turns out to be a good idea 🙂
[19:29:02] <jonasw> SamWhited, ah I see
[19:29:07] <moparisthebest> SamWhited, wouldn't a lib like that take a username+password ?
[19:29:14] <moparisthebest> in which case it'd know if it reached auth yet
[19:29:19] <SamWhited> moparisthebest: no, it's just dialing TCP connections, it doesn't know anything about XMPP
[19:29:30] <moparisthebest> oh, well, that's odd
[19:29:35] <jonasw> I tend to agree
[19:29:43] <moparisthebest> especially for direct TLS
[19:29:44] <SamWhited> It just knows to do a query for "xmpps-client" or whatever and get some records back, then it tries them (based on priority) until it gets a valid connection.
[19:29:56] <jonasw> yeah, I don’t think that’s good
[19:29:59] <SamWhited> Why not?
[19:30:05] <Flow> define "valid connection"
[19:30:13] <SamWhited> "a tcp socket was established"
[19:30:20] <moparisthebest> so it doesn't check TLS cert either?
[19:30:31] <Flow> there you have your issue
[19:30:48] <SamWhited> I can't remember, it might do TLS
[19:30:53] *** ralphm has joined the room
[19:30:55] <jonasw> SamWhited, the server could be telling you that it is out of capacity currently
[19:30:59] <moparisthebest> a xmpp connection is in my opinion a negotiated stream over a valid TLS connection
[19:31:11] <moparisthebest> so like, after you get that far, maybe don't fallback
[19:31:17] <moparisthebest> but before you should absolutely fallback
[19:31:41] <Flow> mopharisthebest: I wonder how you noticed that the implementations did not perform a fallback in those cases? Did that cause you any usability issues? Or did you just look at the code?
[19:32:00] <moparisthebest> Flow, yea I fired up dino and it failed to connect 😛
[19:32:12] <Flow> ahh because of alpn
[19:32:19] <moparisthebest> same with conversations with my initial patch, but I was already deep in that code so I fixed it
[19:32:23] *** jjrh has left the room
[19:32:25] <SamWhited> I disagree, SRV/TCP is a transport layer thing, XML/XMPP are an application layer thing. Mixing the two will just lead to complexity and possibly security issues.
[19:32:27] *** jjrh shows as "online"
[19:32:48] <moparisthebest> SamWhited, SRV has nothing to do with TCP and therefore nothing to do with connections
[19:32:52] <moparisthebest> if you want to go up that high
[19:32:53] *** SouL shows as "online"
[19:33:36] <moparisthebest> imagine a _udp SRV record, what a successfull connection entails is entirely application layer
[19:33:39] <moparisthebest> same here imho
[19:33:47] <Flow> yep, it feels like SRV records to be more at the application layer
[19:33:52] <SamWhited> Yah, I actually have some separation there too but it's not relavant for this discussion
[19:34:17] <SamWhited> But the retrying is just about dialing TCP sockets, it's definitely not application layer
[19:34:24] <jonasw> SamWhited, it could also simply timeout after accepting the TCP connection
[19:34:26] <moparisthebest> still disagree
[19:34:28] <jonasw> because the server is massively overloaded
[19:34:30] <SamWhited> Or rather, not application protocol layer. It has nothing to do with XMPP and I don't want it to know about XMPP.
[19:34:31] <jonasw> and you should be trying the next one
[19:34:39] <jonasw> you can’t tell that purely from the TCP layer
[19:34:47] <moparisthebest> then how do _udp SRV records work?
[19:35:09] <jonasw> SamWhited, make XMPP know about the SRV records, not the SRV records know about XMPP.
[19:35:13] <SamWhited> These aren't udp SRV records, but fair enough, I don't know
[19:35:36] *** winfried shows as "xa" and his status message is "sssssttttt! my computer fell asleep"
[19:35:41] *** la|r|ma has left the room
[19:35:41] <SamWhited> jonasw: now my XMPP library can't work over a unix domain socket or a random in-memory pipe or something else. It's tightly coupled to my library that dials TCP connections
[19:36:02] <jonasw> SamWhited, not necessarily
[19:36:08] <moparisthebest> basically you are saying SRV should apply only to TCP connections and I'm saying they should apply to XMPP connections, of which a TCP connection is just the first part, I think
[19:36:47] <moparisthebest> I don't think either stance is necessarily wrong or right, just needs to be agreed upon and written down and followed 🙂
[19:37:18] <jonasw> as I said earlier; in my design, the SRV stuff simply gives a list of connector objects; that list is appended to the list of connector objects supplied by the current connection (if any; used e.g. for XEP-0198 @location). it’s easy to add a UnixDomainConnector and use that.
[19:38:15] <moparisthebest> but I didn't really think about it apparantly, and if SRV really stops falling back at successful TCP, parts of 368 are incorrect and need fixed
[19:38:39] <SamWhited> At worst I think mixing the dialer/TCP stuff with XMPP error logic could be a security issue, at best I think it needs to not be specified and just left to be an implementation detail. If my library doesn't retry on invalid XML and yours does, it's not a compatibility issue so why specify that behavior?
[19:38:57] <moparisthebest> well then your library doesn't work with my server
[19:39:13] <moparisthebest> which I guess is fine, unless my server happens to be huge like conversations.im or something
[19:39:20] <jonasw> SamWhited, it is a compatibility issue with XEP-0368 servers which require ALPN.
[19:39:30] *** SouL shows as "online"
[19:39:46] <Flow> the xep should at least recommend fallback on invalid cert/xml
[19:39:49] <moparisthebest> I have to patch 368 support out of dino to use it currently, for example
[19:40:22] <jonasw> moparisthebest, would you care to fire an aioxmpp exmaple against your server?
[19:40:30] <moparisthebest> as added fun, my server does not require alpn over ipv6 😛 (which, having unlimited addresses, I multiplex that way instead of sslh...)
[19:40:43] <SamWhited> Why is it a compatibility issue there? If you have a server with ALPN why would you mix records that use ALPN and a dedicated IP that doesn't use it? If you have an IP for that particular server, you don't need ALPN, or did I misunderstand that?
[19:40:46] <moparisthebest> jonasw, I can make you a test account if you like
[19:40:56] <jonasw> moparisthebest, EBUSY currently
[19:41:02] <jonasw> and I’ll likely forget about it :/
[19:41:09] *** Holger shows as "online" and his status message is "I'm available"
[19:41:27] <moparisthebest> SamWhited, directly from xep-368 "Server operators should not expect multiplexing (via ALPN) to work in all scenarios and therefore should provide additional SRV record(s) that do not require multiplexing (either standard STARTTLS or dedicated direct XMPP-over-TLS)."
[19:41:33] <jonasw> SamWhited, xmpps-server requiring ALPN over v4, but not over v6 and in addition a fall-abck xmpp-server RR seems like a reasonable setup
[19:41:43] <moparisthebest> which obviously expects clients to fallback when hit with invalid xml or whatever
[19:41:52] <jonasw> moparisthebest, I don’t find that obvious tbh :)
[19:42:04] <jonasw> but that may simply be my lack of domain knowledge
[19:42:11] <moparisthebest> jonasw, well obvious to me, but in hindsight, I fully agree with you 😛
[19:42:30] <moparisthebest> again, no one ever accused me of being an english wizard 😛
[19:43:01] <SamWhited> Ah, this is about falling back to STARTTLS, that I also think is a bad thing, mixing SRV records just feels like it's going to cause problems and unexpected behavior, though again I'm not sure how
[19:43:15] <moparisthebest> well, or falling back at all
[19:43:33] <moparisthebest> I think my current SRV setup is 443 first (which requires alpn or you get invalid xml) and then 5223 next
[19:43:39] <moparisthebest> and then 5222/starttls
[19:44:34] <moparisthebest> if we decide fallback stops at tcp connect I'd need to move priority to 5223 first, 5222 second, 443 last
[19:44:42] <SamWhited> Tangentially related but not about the current discussion: If you had ALPN on 443 doesn't HTTP require ALPN? So you could make your XMPP server the default if no ALPN protocol is specified and assume browsers will do ALPN properly and HTTP will always work?
[19:45:11] <moparisthebest> you could, only http2 browsers will do it though
[19:45:16] <SamWhited> ahh, right
[19:45:18] <moparisthebest> which is most newish/secure ones for sure
[19:45:28] <SamWhited> Will they do it for http/1.1 as well though, or just http/2?
[19:45:39] <moparisthebest> I think they do it for both
[19:45:55] <moparisthebest> I know http/1.1 is defined, not sure if I've ever actually checked honestly
[19:47:52] <moparisthebest> also this would need updated https://wiki.xmpp.org/web/Tech_pages/XEP-0368
[19:48:08] <moparisthebest> in hindsight I fully assumed fallback would happen regardless 🙂
[19:48:47] *** Steve Kille shows as "away" and his status message is "At Home"
[19:48:47] *** jjrh has left the room
[19:50:44] *** jjrh shows as "online"
[19:51:49] *** jjrh has left the room
[19:51:52] *** jjrh shows as "online"
[19:57:34] *** jjrh has left the room
[19:57:38] *** jjrh shows as "online"
[19:58:38] *** Alex has left the room
[19:59:28] *** Steve Kille shows as "online" and his status message is "At Home"
[20:02:56] *** Tobias shows as "online"
[20:02:58] *** Tobias shows as "online"
[20:03:12] *** Tobias has left the room
[20:05:26] *** Alex has joined the room
[20:08:00] *** jjrh has left the room
[20:08:57] *** jjrh shows as "online"
[20:12:47] *** valo has left the room
[20:12:51] *** valo has joined the room
[20:14:19] *** intosi shows as "away" and his status message is "Away"
[20:14:21] *** intosi shows as "online"
[20:16:43] *** Steve Kille shows as "away" and his status message is "At Home"
[20:27:14] *** daniel has left the room
[20:27:23] *** daniel has joined the room
[20:30:31] *** jjrh has left the room
[20:31:15] *** jjrh shows as "online"
[20:33:30] *** daniel has left the room
[20:33:41] *** jjrh has left the room
[20:33:43] *** daniel has joined the room
[20:34:08] *** jonasw has left the room
[20:34:13] *** jjrh shows as "online"
[20:37:16] *** daniel has left the room
[20:37:29] *** daniel has joined the room
[20:37:55] *** Dave Cridland has left the room
[20:37:59] *** Dave Cridland shows as "online"
[20:38:13] *** Guus has left the room
[20:39:41] *** Guus shows as "online"
[20:40:54] *** jjrh has left the room
[20:41:10] *** jjrh shows as "online"
[20:42:33] *** jjrh has left the room
[20:42:36] *** jjrh shows as "online"
[20:51:02] *** lskdjf has left the room
[20:51:06] *** lskdjf shows as "online"
[20:51:34] *** ralphm has joined the room
[20:53:34] *** xnyhps shows as "away" and his status message is "Away"
[20:53:38] *** xnyhps shows as "online"
[20:58:40] *** xnyhps shows as "online"
[20:58:55] *** xnyhps shows as "online"
[21:03:40] *** had-hoc has left the room
[21:06:35] *** xnyhps shows as "away" and his status message is "Away"
[21:07:34] *** xnyhps shows as "away" and his status message is "Away"
[21:08:40] *** ralphm has left the room
[21:16:18] *** jonasw shows as "away"
[21:19:12] *** goffi has left the room
[21:20:16] *** Guus has left the room
[21:21:14] *** intosi shows as "online"
[21:21:43] *** Guus shows as "online"
[21:23:22] *** lumi shows as "away" and his status message is "(Idle 10 min)"
[21:25:52] *** lumi shows as "online"
[21:26:08] *** intosi shows as "away" and his status message is "Away"
[21:28:37] *** daniel has left the room
[21:28:44] *** daniel has joined the room
[21:30:42] *** had-hoc has joined the room
[21:31:06] *** jere has joined the room
[21:36:06] *** daniel has left the room
[21:36:20] *** daniel has joined the room
[21:42:22] *** Steve Kille shows as "online" and his status message is "At Home"
[21:44:39] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[21:45:51] *** vanitasvitae shows as "online"
[21:48:44] <zinid> moparisthebest, "prosody legacy port"
[21:49:18] <moparisthebest> zinid, yea prosody devs need to alias that to 'direct_tls_port' 😛
[21:49:34] <zinid> moparisthebest, I think the article shouldn't assume the server name
[21:49:38] <moparisthebest> zinid, what does ejabberd call it? I assume something similar
[21:49:52] <zinid> just replace prosody with 'xmpp server'
[21:50:11] <zinid> the text is valid for all servers
[21:50:35] <moparisthebest> well I wanted to be explicit, I'll put 'prosody legacy_ssl_port' or ejabberd whatever_that_calls_it
[21:50:38] <zinid> nginx
[21:50:44] <zinid> what if I use haproxy?
[21:52:15] *** ralphm has joined the room
[21:52:58] <moparisthebest> it's not a spec it's an example
[21:54:00] <zinid> ok, so I will copy it, replace names and submit to the wiki?
[21:54:20] <zinid> because I cannot refer to the article in this version
[21:54:26] <moparisthebest> sure if it's useful 😛
[21:54:47] <moparisthebest> it's more meant for people who followed a tutorial to set up prosody or something
[21:54:54] <moparisthebest> people who can read specs probably don't need it
[21:55:28] <zinid> as I said above, sslh config is the same for *any* xmpp/imap/http server
[21:56:01] <moparisthebest> yes, but if I say like 'xmpp server direct tls port' then you have to search docs to discover what that's named
[21:56:24] <moparisthebest> so I'd like to say xmpp server direct tls port (prosody legacy_ssl_ports, ejabberd whatever_its_called)
[21:56:27] <zinid> what?
[21:56:34] <moparisthebest> and then https port (nginx, apache)
[21:56:39] <moparisthebest> or whatever, in the comments
[21:56:57] <moparisthebest> I thought it was pretty obvious you didn't *have* to use prosody
[21:57:30] <moparisthebest> but feel free to update the wiki with ejabberd name or whatever too, it's a wiki
[21:59:05] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[21:59:13] *** vanitasvitae shows as "online"
[21:59:33] <zinid> nah, it is better to rename the page to prosody-nginx-openssh-dovecot related configuration
[21:59:49] <zinid> then I'm fine with it
[22:01:42] <moparisthebest> haha
[22:02:32] <zinid> anyway, I don't remember my account credentials, so
[22:02:42] <moparisthebest> if you set up ejabberd and haproxy and tiny-ssh and cyrus-imap and can't figure out how to apply that config to your setup, oh well
[22:03:31] <zinid> moparisthebest, nice logic
[22:03:50] <zinid> moparisthebest, why didn't you put 'prosody' everywhere in xep-0368 instead of 'xmpp server'?
[22:04:04] <zinid> if someone can't figure that, oh well...
[22:04:07] <moparisthebest> because it's a spec, not a friendly hand-holdy example 😛
[22:04:34] <zinid> but your logic still applies
[22:05:26] <moparisthebest> it's like a tutorial or an example, that's all
[22:05:46] <moparisthebest> make it too generic and it gets useless, like I said, I'm fine with adding what ejabberd calls it in there
[22:06:45] <zinid> ejabberd doesn't call anything related to this
[22:07:22] <zinid> listen:
-
port: 5223
module: ejabberd_c2s
tls: true
...
[22:07:30] <zinid> not sure what should be called here and why
[22:07:37] <moparisthebest> and that implied direct tls ?
[22:07:45] <moparisthebest> *implies
[22:08:05] <zinid> yes, and `starttls: true` implies starttls, who would have thought that 🙂
[22:08:44] *** edhelas has left the room
[22:08:52] <moparisthebest> do you have to specify one or the other?
[22:09:14] *** edhelas has joined the room
[22:09:32] <zinid> no, if you don't need (start)tls at all
[22:09:42] <zinid> but you cannot specify both
[22:09:44] <moparisthebest> if you don't does it imply starttls ?
[22:09:48] *** Alex has left the room
[22:09:56] <zinid> no, it implies no starttls
[22:10:00] <zinid> plain connection
[22:10:44] *** moparisthebest shows as "online"
[22:11:24] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[22:12:19] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[22:13:04] *** SamWhited has left the room
[22:13:52] <moparisthebest> check that edit zinid https://wiki.xmpp.org/web/Tech_pages/XEP-0368 better?
[22:14:26] <zinid> yes, much better, thanks
[22:14:30] *** MattJ shows as "away"
[22:14:37] <moparisthebest> np, thanks for ejabberd config info!
[22:15:35] *** edhelas has left the room
[22:16:00] *** edhelas has joined the room
[22:18:16] <zinid> does dino support ALPN?
[22:22:19] *** vanitasvitae shows as "xa" and his status message is " (Nicht verfügbar wegen Untätigkeit seit mehr als 15 Minuten)"
[22:26:06] *** Steve Kille shows as "away" and his status message is "At Home"
[22:26:13] *** vanitasvitae shows as "online"
[22:28:20] *** Alex has joined the room
[22:31:15] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[22:34:38] *** lumi shows as "away" and his status message is "(Idle 10 min)"
[22:37:50] *** Holger shows as "online" and his status message is "I'm available"
[22:39:02] *** lumi shows as "online"
[22:41:15] *** vanitasvitae shows as "xa" and his status message is " (Nicht verfügbar wegen Untätigkeit seit mehr als 15 Minuten)"
[22:41:57] *** vanitasvitae shows as "online"
[22:41:57] *** winfried shows as "xa" and his status message is "sssssttttt! my computer fell asleep"
[22:41:58] *** winfried has left the room
[22:42:01] *** winfried shows as "online"
[22:42:34] *** winfried has left the room
[22:42:35] *** winfried has left the room
[22:42:42] *** winfried has joined the room
[22:42:49] *** winfried shows as "xa" and his status message is "sssssttttt! my computer fell asleep"
[22:46:01] *** Zash has left the room
[22:46:58] *** blabla has joined the room
[22:47:01] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[22:48:57] *** Zash has joined the room
[22:57:00] <moparisthebest> zinid: not currently that's how I discovered the broken fallback
[22:57:01] *** vanitasvitae shows as "xa" and his status message is " (Nicht verfügbar wegen Untätigkeit seit mehr als 15 Minuten)"
[22:58:13] *** vanitasvitae shows as "online"
[23:03:27] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[23:05:18] *** zinid has left the room
[23:06:47] *** Dave Cridland has left the room
[23:06:51] *** Dave Cridland shows as "online"
[23:06:57] *** Dave Cridland has left the room
[23:07:12] *** Dave Cridland shows as "online"
[23:07:38] *** Dave Cridland has left the room
[23:07:41] *** Dave Cridland shows as "online"
[23:09:22] *** Zash has left the room
[23:12:54] *** zinid has joined the room
[23:13:08] *** lskdjf has left the room
[23:13:08] *** lskdjf shows as "online"
[23:13:23] <zinid> moparisthebest: I see
[23:13:27] *** vanitasvitae shows as "xa" and his status message is " (Nicht verfügbar wegen Untätigkeit seit mehr als 15 Minuten)"
[23:13:31] *** lskdjf shows as "online"
[23:14:47] *** blabla has left the room
[23:14:50] *** blabla has joined the room
[23:14:57] *** Alex has left the room
[23:17:37] *** Dave Cridland has left the room
[23:17:39] *** Holger shows as "away" and his status message is "Auto-away (idle)"
[23:17:40] *** Dave Cridland shows as "online"
[23:18:42] *** lskdjf has left the room
[23:18:43] *** lskdjf shows as "online"
[23:19:46] *** Dave Cridland has left the room
[23:19:52] *** Dave Cridland shows as "online"
[23:21:36] *** SamWhited shows as "online"
[23:22:25] *** lskdjf has left the room
[23:22:26] *** lskdjf shows as "online"
[23:24:37] *** lskdjf has left the room
[23:24:38] *** lskdjf shows as "online"
[23:24:44] *** vanitasvitae shows as "online"
[23:24:46] *** bra has joined the room
[23:25:11] *** vanitasvitae has left the room
[23:25:32] *** vanitasvitae has joined the room
[23:35:41] *** mimi89999 shows as "online"
[23:37:04] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[23:38:51] *** vanitasvitae shows as "online"
[23:43:51] *** vanitasvitae shows as "away" and his status message is " (Abwesend wegen Untätigkeit für mehr als 5 Minuten)"
[23:48:21] *** lskdjf has left the room
[23:48:28] *** lskdjf shows as "online"
[23:50:27] *** vanitasvitae shows as "online"
[23:50:27] *** Dave Cridland has left the room
[23:50:32] *** vanitasvitae has left the room
[23:51:14] *** Dave Cridland shows as "online"
[23:55:03] *** bra shows as "away" and his status message is "Автостатус (неактивен)"
[23:57:30] *** bra shows as "online"
[23:59:05] *** lskdjf has left the room
[23:59:18] *** lskdjf shows as "online"