-
nyco
a question: https://fosstodon.org/web/statuses/103166428834063205 @sofia@chaos.social @xmpp hi there! i was wondering if XMPP has any standards or plans for self-verifying IDs? like if my public key (or it's hash) is a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8 then my id could be a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8@jabber.ccc.de and so everyone who knows my id automatically has a verified, secure channel to me.. sofia @sofia@chaos.social oh, the same question goes to @matrix , too! it may even be more relevant to #matrix because i think they have a single default e2e encryption scheme, unlike XMPP. #selfVerifyingID
-
!XSF_Martin
Like adding your omemo ID to your jid in conversations?
-
!XSF_Martin
xmpp:info@mdosch.de?omemo-sid-709870363=951898c88f683d55e7fe74dc9b8980489162d251b140bd9e5ccd8d28f7f7dc70
-
!XSF_Martin
If you add me with this link in conversations you'll automatically have my omemo key verified. Don't know if it's included in the omemo xep and other programs support this too.
-
!XSF_Martin
Maybe Daniel can clarify.
-
Ge0rG
!XSF_Martin: I think the underlying idea is to use your key-id as an identifier instead of the localpart of the JID
-
Ge0rG
if followed consequently, the domain part will be merely a routing identifier, i.e. "I'm currently holding my temporary state at jabber.ccc.de, but tomorrow it might be fancyjabs.biz"
-
!XSF_Martin
Where is this more unique/verified than your jid?
-
Ge0rG
The Matrix folks are in the process of retrofitting this mechanism after they found out that having a server responsible for your identity is a "dumb" idea ;)
-
!XSF_Martin
Oh, so that would need some sort of registry?
-
Ge0rG
!XSF_Martin: no. it would need servers to verify your proof of key ownership
-
Ge0rG
!XSF_Martin: but the resulting protocol would be a different subset of Zooko's triangle
-
Ge0rG
<https://en.wikipedia.org/wiki/Zooko%27s_triangle>
-
!XSF_Martin
As a self hoster my domain and my jid on my website is proof enough for me. 😂
-
Ge0rG
nyco: does that help in answering?
-
nyco
nope, I don't understand this discussion, sorry... :) I suggest some of you (who have fediverse accounts) engage the conversations, or you suggest me a text answer that I will post as @xmpp
-
Ge0rG
nyco: text suggestion: In the federated XMPP IM network, user identity is always enforced by the respective servers, allowing for human-readable identifiers, and there are no current plans to change this. You could create an overlay network, where user accounts would authenticate to a server by their keypair, and the username part would be a hash or fingerprint resulting from this. To be secure, that approach would require that a client signs every piece of information that is stored on the server or transmitted to other systems, and each other system will have to verify that signature. The domain part of your ID would become merely a "drop box" for the data sent to you, as you could re-register with your key pair on any other domain, and XMPP would be just a routing layer for your overlay network with your currently-used server as a single point of failure. Eventually, you will realize that XMPP is not a perfect routing layer for such a protocol, and that there are better protocols for the requested traits of Zooko's triangle <https://en.wikipedia.org/wiki/Zooko%27s_triangle>
-
Ge0rG
I hope this take isn't too cynical
-
flow
at some point you end with the "dead drops" that vuvuzela.io uses
-
Ge0rG
Vuvuzela: > Vuvuzela is a private chat application that hides metadata, including who you chat with and when you are chatting. Also Vuvuzela: > Create your Vuvuzela account [_] I am not a robot (reCAPTCHA)
-
Ge0rG
Only reinforces me in my opinion not to trust things hosted on .IO domains
-
David Cridland
nyco, I think you touch on the answer there. Using hashes as addresses (which was first discussed for email, incidentally) has problems because you end up with a fixed (ie, non-agile) encryption mechanism. Moreover, what if a key is compromised? To have access to the key ends up implicitly granting access to the identity, so if your key is changed then so must your address. XMPP has tried overloading portions of the address with meanings other than routing; it really is a painful problem when those meanings diverge.
-
David Cridland
nyco, An alternative solution is a secure method for binding a key to an identity. X.509, for example, uses a trusted third party to verify this, PGP uses a web of trust instead for much the same result. Many E2EE solutions use an-person verification solution (QR codes, fingerprints, etc), or simply "leap of faith", where you prove consistency rather than identity.
-
David Cridland
nyco, FWIW, I don't think the question refers to Zooko's Triangle, since the question doesn't care about human readable names, but that notwithstanding, Ge0rG's answer is correct.
-
Ge0rG
While the question does not refer to it, I still think that it's a valuable hint in understanding the problem space.
-
Ge0rG
Even though I disagree with the Wikipedia list of things that have "solved" Zooko's
-
Guus
What's the most up-to-date specification that we have on message deletion?
-
Guus
or ephemeral messages?
-
Guus
There was some discussion on this a while back, but did that ever make it into a XEP?
-
Zash
Guus: You mean actual deletion/retraction or the whole routing 2.0 thing?
-
Zash
https://xmpp.org/extensions/xep-0424.html and https://xmpp.org/extensions/xep-0425.html are new
-
Guus
424 is what I'm after
-
Guus
thanks
-
Link Mauve
“09:14:13 Ge0rG> Only reinforces me in my opinion not to trust things hosted on .IO domains”, yet you use poez.io!
-
Ge0rG
origin git://git.poez.io/poezio (fetch) Damn it.
-
pep.
Ge0rG, re hash as localpart, there could be non-trivial infrastructure added (DHT etc.) to allow this, and then a different bind method etc.
-
pep.
The rest of the addressing would be the same
-
pep.
It's not done at the moment, but un the same way we now have a CA XEP we could have a DHT xep :P
-
Ge0rG
pep.: you'd only lose one of the basic aspects of XMPP
-
pep.
how so
-
Ge0rG
that servers are responsible for managing accounts on them
-
Ge0rG
a completely different question: a friend of mine is looking to integrate with Google Firebase via XMPP, and I can't even understand how Google is making use of XMPP for that API from the official docs
-
Ge0rG
are there any resources for people who *do* know how XMPP works?
-
ralphm
https://fosdem.org/2020/news/2019-11-19-accepted-stands/
-
ralphm
yay
-
Zash
Woo
-
Guus
> but who will be where will be announced closer to the event.
-
pep.
Ge0rG, servers could still be responsible for managing accounts on them. A user could choose where to have their account managed, and could also easily decide to move them around
-
Guus
Interesting to find out if we get more space this year!
-
pep.
(that's one possible answer to <moved/>)
-
Zash
People lose their keys. Massive pain to have a key be your identity.
-
pep.
Thaat's their issue, and it's always been
-
pep.
They currently lose their password it's the same story
-
jonas’
a password can be changed
-
Zash
Has Summit 2020 dates been set?
-
jonas’
if your identity is tied to your key ...
-
pep.
jonas’, the operator has the responsability to decide if they allow giving access to a potential attacker :)
-
pep.
I prefer to leave this responsability to the user themselves tbh
-
pep.
Zash, yep, before FOSDEM
- Zash checks https://wiki.xmpp.org/web/Conferences/Summit_24
-
pep.
it's been twitter somewhere and on the wiki yeah✎ -
pep.
it's been tweeted somewhere and on the wiki yeah ✏
-
pep.
ralphm, any idea why Matrix is not included in the realtime lounge again?
-
pep.
Why they can be separate from everyone else
-
pep.
Next year can we have XMPP splitted as well if so?
-
Zash
Marketing reasons I assume
-
pep.
Why can't we have marketing as well
-
Guus
pep. Probably history: the Realtime Lounge predates Matrix.
-
Guus
at the time, joining forces gave better chances of all related projects being accepted.
-
pep.
That doesn't really explain it to me. "Hey Matrix! We're going to put you in the realtime lounge", done.
-
Guus
That suggests that Fosdem organisation re-groups they applicants.
-
pep.
I already raised this "issue" a few months ago fwiw
-
Guus
The realtime lounge is being asked for by a group of related projects. Matrix did their own request.
-
David Cridland
Ge0rG, The Firebase XMPP interface is actually a legacy one, which is why the docs are sparse.
-
Guus
We could ask them to join us, or we could ask for our one spot
-
pep.
Guus, maybe we need to do the opposite then? Request a slot for XMPP itself
-
Ge0rG
David Cridland: what's the official FCM API if you need upstream messages?
-
David Cridland
I thought it was HTTP/2 for the shinies - you need messages from device to backend, do you?
-
Ge0rG
I already know from Android development that you need at least one full-time developer just to keep up with Google changing APIs
-
Ge0rG
David Cridland: exactly
-
Guus
pep. yes we could do that. I'm not sure if that improves our chances of getting a spot though.
-
Seve
If we can apply to both, I guess is fine. Otherwise we would risk it and lose the spot entirely, is it?
-
David Cridland
Ge0rG, Send a normal push and then have the app callback with an XMPP session? :-)
-
pep.
Guus, well Matrix is getting their own.. I'm not sure why not
-
David Cridland
Also, didn't know there was Saturday-only and Sunday-only stands.
-
Ge0rG
David Cridland: was that ironic?
-
Guus
because there's a status quo. Also, other projects in the realtime lounge put in quite some effort to get things organized.
-
ralphm
pep. we can totally have XMPP marketing there, and we've done that since forever
-
David Cridland
Ge0rG, Not entirely. But I don't know that it's a terrible idea - I find the feedback from Push pretty poor at the best of times.
-
ralphm
Doing it as the Realtime Lounge just gave us a better chance of being accepted, than each individual project (XMPP, Jitsi, other RTC projects) on their own
-
Ge0rG
David Cridland: https://firebase.google.com/docs/cloud-messaging/android/upstream clearly says that you need FCM XMPP for that
-
David Cridland
Ge0rG, Oh, still? Well, that's good I suppose.
-
Ge0rG
David Cridland: feedback from your developers doing Push regarding reliability / real-time?
-
pep.
ralphm, people see "Matrix" and they don't see "XMPP"
-
pep.
We're not playing on the same field
-
Zash
pep.: XMPP isn't a FOSS project
-
ralphm
Zash: the dates were announced even by e-mail on several mailinglists on Aug 11, including summit@.
-
David Cridland
Ge0rG, You might be able to make some sense out of the Python asyncio FCM library, I know that uses XMPP.
-
ralphm
pep. on the schedule you mean, yes, that is true. On the floor, they totally see XMPP.
-
pep.
Zash, that's another problem sure. XMPP unlike Matrix is not a standard, an implementation, a company, etc. all at the same time
-
Guus
Note that we get a lot of benefit from bundling forces. Saul does most of the organizing and often is manning the devroom too.
-
Guus
Our exposure on the floor is pretty good
-
Ge0rG
David Cridland: let's move this into private chat. I'm currently looking at Smack as an FCM client library
-
Guus
(we could improve the look and feel, but there's definitely a XMPP presence - basically all of the lounge is XMPP)
-
pep.
Ge0rG, I think our exposure is pretty bad, but that's another topic
-
pep.
In the corner where nobody goes
-
Guus
Yeah, we've asked for more space in a different location
-
Guus
but that wouldn't change by going alone - if anything, we'd get less space.✎ -
Guus
but that wouldn't change by going at it alone - if anything, we'd get less space. ✏
-
David Cridland
FWIW, +1 to different location - we're very much in the corner at the moment. But also quite happy as a group.
-
Guus
For years, XMPP effectively took all of the floor space that is ment to be shared with a few projects - so we're not doing bad there.
-
Guus
Yeah, the location thing has, again, be asked for explicitly. But that's out of our hands.
-
Zash
It's a pretty cozy corner FWIW
-
Guus
The corner isn't to bad, but it now has to many stands in it
-
David Cridland
ralphm, Oh, my wife says to ask you for green hoodies this year.
-
pep.
Who decides for the hoodies btw? Can anybody see the swag before it gets printed?
-
Guus
So, by doing our own application, we'd reduce the chance of being accepted, run the risk of getting less space on the floor, will have to do our own organizing (especially for the Dev room). Only to get 'XMPP' printed on the folders? For me, that's not enough added value.
-
Guus
pep. we desperately want people to provide content there!
-
Guus
last year, Dave and Ralph came up with designs
-
David Cridland
I didn't!
-
Guus
but please, suggest stuff
-
Guus
the bottle openers were yours!
-
Zash
And as noted, FOSDEM is more for FOSS projects, which XMPP isn't.
-
David Cridland
Oh, the text, in which I missed a better gag.
-
Guus
See, we need better content pep. - dwd has been failing us! 😃
-
David Cridland
The original (grey) hoodies were my design, though.
-
Zash
Classic
-
David Cridland
I think we should do pens and notebooks if we can, must be a "messaging" joke there.
-
Zash
Letter openers?
-
Zash
For extra fun at the airport
-
Guus
empty cans with strings.
-
Zash
Haha
-
Guus
we'll brand them "Matrix" >;-)
-
David Cridland
Nice.
- Guus back to fixing bugs left by on 'dave' in our codebase
- Guus back to fixing bugs left by one 'dave' in our codebase
-
David Cridland
A new t-shirt design would be good, if we could think of one.
- David Cridland checks name
-
David Cridland
Can't be me then.
-
Guus
stream management.
-
David Cridland
That was Jonny.
-
Guus
fun things happen when a client reconnects using the same resource
-
David Cridland
Oh, interesting.
-
pep.
Guus, isn't that what is done nowadays? :x
-
pep.
(using the same resource)
-
Zash
Replacing the previous one instead of resuming it?
-
pep.
ah
-
Guus
There's a couple of things going wrong. Long story short: the new session is kicked after the TTL for the original session elapses.
-
Guus
But with various periodic tasks, and behavior different between clients, and a requirement of a previous session to have existed, made this hard to reproduce 🙂
-
Zash
Reference to the resource instead of the session itself?
-
ralphm
pep., I shared my designs with several people involved with organising for the Summit / FOSDEM before they went to print
-
Guus
Zash yup
-
Guus
ralphm Do we still have orange ones? I ruined mine 😞
-
ralphm
David Cridland, suggestion of 'Green Hoodies' noted.
-
Zash
Green like the logo?
-
David Cridland
ralphm, It'd be quite fun to have a rainbox of colours available.
-
Zash
Logo colors?
-
ralphm
Guus: a couple, but maybe not all sizes. I'm not at home right now, but can check.
-
Zash
Photo shoot with people arranged in the shape of the logo, with proper colors?
-
Guus
David Cridland pretty expensive too, if you want to do them in all sizes.
-
Guus
ralphm thanks
-
ralphm
David Cridland, the problem with many color options is that I would want to know upfront who wants which size/color.
-
David Cridland
FWIW, I have to admit I don't much like the sleeve print. Perhaps I'm too old and uncool for that.
-
MattJ
Potentially anyone travelling from the UK with merchandise for sale at FOSDEM may be in an interesting situation next year
-
ralphm
David Cridland, quite
- David Cridland cries
-
Link Mauve
MattJ, nah, https://twitter.com/julianpopov/status/1185664196178042880
-
ralphm
MattJ, why? You'd leave before brexit, but come back after :-D
-
Link Mauve
The XMPP logo we printed on the flyers for Capitole du Libre last weekend was much darker and less shiny than on a computer screen. :(
-
MattJ
Would that make me an exporter from the EU??
-
Link Mauve
Paper is hard.
-
ralphm
Also, the better plan recently has been shipping it to my address, as we also have a van for the event.
-
Ge0rG
ralphm: add some XMPP-branded sweets and you can spray "free candy inside" on the van door
-
Guus
LOL
-
ralphm
Yeah, our region is market leader in that stuff. Should be easy.
-
ralphm
Reminds me of the Breaking Bad session at RealtimeConf: https://vimeo.com/77799055
-
ralphm
Oh, how I miss RealtimeConf
-
MattJ
Indeed
-
pep.
hah that's a cool session
-
Zash
pep., did you have Prosody stickers btw?
-
pep.
I did
-
pep.
There's like 5 left
-
ralphm
pep., 'cool' doesn't even begin to describe this. This was a conference with its own novel, graphic novel, and play + soundtrack (played live in between the sessions)
- ralphm puts on https://benmichel.bandcamp.com/
-
pep.
nice
-
pep.
thoughts about having the muc service also provide an http upload/jingle component or sth to upload files? For when the user server doesn't provide it.
-
pep.
Maybe there are times where it makes more sense to have it on the muc at all rather than the user's server.
-
Ge0rG
pep.: I totally agree. It's also a minor privacy leak to see your private server's HTTP URL in a MUC
-
Zash
pep.: Not opposed. Authz via affiliation or such?
-
pep.
Sure
-
Ge0rG
Zash: via occupancy?
-
Ge0rG
Maybe the MUC domain should just allow the 0363 IQs to all JIDs that are joined to at least one MUC
-
MattJ
Interesting that you could then upload the files to a MUC service and then post the links elsewhere
-
Zash
O(rooms) lookup?
-
pep.
MattJ, I guess that's "already an issue" anyway? you can create an anonymous user on most public servers and upload something there
-
pep.
Or even just any real account
-
MattJ
Sure
-
Zash
If it's tied to a single room then it could automatically be broadcast on upload too
-
Ge0rG
Good luck figuring out the race conditions between the sending client's message and that
-
nyco
https://brandimage.io/insight/XMPP?source=reddit
-
nyco
https://brandimage.io/insight/XMPP?source=hn
-
pep.
"A web page is slowing down your browser. What would you like to do?"
-
nyco
indeed, it may be slow weird on my old computer and tab-overloaded browsers I don't have this warning