XMPP Council - 2012-04-04


  1. linuxwolf

    meeting in one more hour (ish)?

  2. Kev

    Nope, now.

  3. Kev

    I suck.

  4. Kev

    Thanks for the poke

  5. linuxwolf

    heh

  6. linuxwolf

    no worries

  7. linuxwolf is still not sure which timezone he's hin

  8. Kev

    I'm in GSoC time.

  9. linuxwolf

    (-:

  10. Kev

    But anyway.

  11. Kev

    1) Roll call.

  12. linuxwolf

    presente

  13. Kev

    MattJ / Tobias: Highlight.

  14. Tobias

    present

  15. MattJ

    Boo

  16. MattJ

    gift

  17. linuxwolf

    offering?

  18. Kev

    Righty

  19. Kev

    2) XMPP WG report.

  20. Kev

    linuxwolf: You fancy giving one? :)

  21. linuxwolf

    sure

  22. linuxwolf

    The WG meeting in Paris, one week back

  23. linuxwolf

    major topics are end-to-end encryption, domain-name-assertions, and i18n

  24. Tobias

    roughly the same topics as 5 years ago it seems :)

  25. linuxwolf

    there is a draft for a new proposal to e2e, which puts key management into a protocol, and is trying to re-use the work from JOSE (JSON Object Signing and Encrypting)

  26. linuxwolf

    Tobias: basically (-:

  27. MattJ

    I finally know what JOSE is

  28. linuxwolf

    (-:

  29. Kev

    linuxwolf: So long as it doesn't need us to rewrite XMPP in JSON.

  30. linuxwolf

    no!

  31. linuxwolf

    the proposal has been received favorable reviews to date

  32. linuxwolf

    the crypto bits are encoded with some sprinkling of JSON, but the XMPP stuff is still XML

  33. Kev

    OK.

  34. linuxwolf

    it was either that or ASN.1

  35. linuxwolf

    no one born after 1970 wants to use ASN.1

  36. Tobias

    wheeee..ASN.1 :D

  37. MattJ

    :)

  38. Kev

    Right.

  39. linuxwolf

    if you're interested: http://tools.ietf.org/html/draft-miller-xmpp-e2e

  40. linuxwolf

    there'll be an update to that sometime this month (-:

  41. Kev

    Ta. I'll have a read at some point (not right now).

  42. linuxwolf

    DNA ...

  43. linuxwolf

    so, after floundering about with non-discussion ...

  44. linuxwolf

    … an approach is starting to form around a layered approach

  45. linuxwolf

    1) determine alternate trust algorithms for certificates

  46. linuxwolf

    2) use stream:stream headers and/or dialback for asserting names (then use the afore mentioned prooftypes)

  47. linuxwolf

    there's been discussion for two alternatives over PKIX: https/.well-known and DANE

  48. linuxwolf

    DANE is a DNS-based protocol, essentially you get the target cert, signed indirectly with DNSSEC

  49. linuxwolf

    the TLSA RR is signed, but the cert can be almost anything: self-signed, ca-signed, trust-anchor, etc

  50. Tobias

    linuxwolf, alternatives? can't PKIX, https/.well-known and DANE co-exist?

  51. linuxwolf

    they can

  52. Tobias

    and HTTPS's S is based on what, PKIX?

  53. linuxwolf

    and a server (or client) will likely need to implement all three

  54. linuxwolf

    the HTTPS/.well-known is simply the target certificate (or maybe also a trust-anchor) at a specific path through HTTPS

  55. linuxwolf

    the trust established if you can trust the HTTPS connection

  56. Tobias

    PKIX and DANE are likely to be implemented in TLS libraries in future, right?

  57. Kev

    Tobias: HTTPS:/.well-known is basically "Yes, we're not solving any problems, but we're saying they're not *our* problems, so that's fine".

  58. linuxwolf

    in all cases, the target cert would be the hosting services cert (e.g. talk.goole.com or webexconnect.com) but obtained from the target domain (e.g. example.com)

  59. linuxwolf

    PKIX is already implemented in OpenSSL

  60. Tobias

    linuxwolf, right...wrongly phrased

  61. linuxwolf

    DANE is likely to be implemented in some DNS libraries

  62. linuxwolf

    but just to get the cert

  63. Kev

    linuxwolf: *Some* of PKIX is in OpenSSL, right?

  64. linuxwolf

    you'll then feed that into, say, OpenSSL to complete validation

  65. Kev

    PKIX also includes revocation, doesn't it?

  66. linuxwolf

    Kev: it depends on what version of OpenSSL we're talking about

  67. linuxwolf

    it does

  68. Kev

    And OpenSSL doesn't do revocation checks for you.

  69. linuxwolf

    it can do some

  70. Kev

    Does it?

  71. Tobias

    k...and the HTTPS way will probably always need to implemented directly by XMPP client/server devs

  72. linuxwolf

    1.0 can process a CRL chain, if it's local

  73. linuxwolf

    Tobias: most likely

  74. linuxwolf

    as I see it: HTTPS would be implemented "now", and DANE would come later

  75. Tobias

    linuxwolf, is DANE so far away *now*?

  76. linuxwolf

    long-term, DANE is probably the better technical approach, but it's not exactly deployable yet

  77. linuxwolf

    it depends on who you ask

  78. Tobias

    yeah...i've asked my ISP and he said ask again in a month ^^

  79. linuxwolf

    there are more and more DNS resolvers and nameservers supporting DNSSEC, but only for the common TLDs

  80. Tobias

    right

  81. linuxwolf

    outside of .com/org/net, it's not available

  82. linuxwolf

    DANE has not finished IESG Last Call, so there's a lot of people holding off on implementations

  83. Tobias

    but requireing HTTPS support for XMPP clients/servers

  84. linuxwolf

    /shrug

  85. linuxwolf

    HTTPS implementations are everywhere, and if a server supports BOSH, it already supports HTTP

  86. linuxwolf

    adding HTTPS is not *that* much more work, unless you did everything by hand

  87. Tobias

    but then again there are a lot (maybe even well tested) ready to use implementations for it

  88. linuxwolf

    exactly

  89. MattJ

    If a server supports BOSH it supports being a server, not a client

  90. linuxwolf

    plus, a lot of clients end up with HTTP libraries for things like updating and grabbing images and whatnot

  91. Kev

    I think it's a much more nefarious problem than that.

  92. MattJ

    but *shrug*, Prosody does both already

  93. linuxwolf

    MattJ: true, but like I said there are lots and lots of HTTP libraries around

  94. Kev

    It's one thing "supporting HTTP", it's quite another getting this into the trust checking for the XMPP session.

  95. Kev

    But anyway.

  96. MattJ

    Is it really?

  97. linuxwolf

    Kev: well, gotta get there somehow

  98. MattJ

    Harder than anything else?

  99. MattJ

    The trust checking is going to change anyway

  100. linuxwolf

    right

  101. Kev

    MattJ: Harder than PKIX, which is already required, yeah :)

  102. linuxwolf

    PKIX isn't good enough already, so *something* needs to be done

  103. MattJ

    Right

  104. Tobias

    exactly

  105. Kev

    So, do you connect to the XMPP server, ask for the cert, then see it's not right, so go on to check over HTTPS?

  106. linuxwolf

    both DANE and HTTPS are essentially "does this cert match", without the need to go through the nitty-gritty subject

  107. Kev

    If both certs are 'bad', but behind the HTTPS cert is the .well-known for the XMPP server, do you present the HTTP stuff to the user and ask them to trust the HTTPS? etc.

  108. linuxwolf

    Kev: that's roughly what I was thinking

  109. Kev

    I'm not saying these aren't resolvable problems.

  110. Kev

    I *am* saying this is a lot more unpleasant at the edges than "Well, there are plenty of HTTPS libraries, so we just use those" makes it sound.

  111. MattJ

    Sure

  112. linuxwolf

    Kev: it's a detail that does need to get worked out, but frankly the HTTP people have done a lot more with it than anyone else

  113. Kev

    Right, probably.

  114. Kev

    So, moving on :)

  115. linuxwolf

    anyway, comments on the xmpp@ietf.org mailing list are most welcome

  116. linuxwolf

    the last one is i18n

  117. linuxwolf

    Precis is finishing up its definition of the framework, and stpeter has a draft for 6122bis based on that

  118. linuxwolf

    but, there are a lot of dragons to work out, and we're suggesting some sub-profiles for specific things, like MUC nicknames

  119. linuxwolf

    so a resourcepart would accept just about anything, but usage with MUC would be more restrictive

  120. linuxwolf

    some discussion on how one might go about enforcing and discovering such rules (which are seen as locale-specific) was thought about

  121. linuxwolf

    a lot of 6122bis is waiting on precis, which is progressing … albeit slower than others would like

  122. linuxwolf

    and I think that about sums up the actual meeting

  123. MattJ

    The "others" who don't like the speed aren't very vocal in helping resolve issues (afaics)

  124. linuxwolf

    there is a proposal from a group in Japan for alternatives to DNS SRV, and they'd like feedback on it

  125. MattJ

    Not that the issues are easy, but that's why it's slow

  126. linuxwolf

    MattJ: essentially

  127. linuxwolf

    well, that, and it's really a cultural problem we're attempting to solve with technology

  128. linuxwolf

    so there may not actually be a right way to do this anyway

  129. MattJ

    Indeed

  130. linuxwolf

    the precis meeting ended with "maybe we need a new area directorate for internationalization"

  131. Tobias

    heh

  132. linuxwolf

    yeah

  133. linuxwolf

    oh, one last point on DNA: there is no current draft yet, but there's three of us working on one, once we get back to work from IETF (-:

  134. linuxwolf

    so be on the lookout for that, if you care about it

  135. Kev

    Lovely.

  136. Kev

    So that's Paris covered?

  137. linuxwolf

    most people, smarter people, take time off after these

  138. linuxwolf

    yes

  139. Kev

    3) Date of next meeting - same time next week?

  140. Tobias

    wfm

  141. linuxwolf

    wfm

  142. MattJ

    wfm

  143. Kev

    4) Request from chair

  144. Kev

    Can someone else minute this please?

  145. linuxwolf

    will do

  146. Kev

    Thanks verym uch.

  147. Kev

    5) AOB?

  148. MattJ

    None here

  149. linuxwolf

    I'll have them out by tomorrow

  150. linuxwolf

    nothing more from me

  151. Tobias

    neither here

  152. Kev

    Marvellous.

  153. Kev

    Thanks all.

  154. Kev meeting over gavel bangs.

  155. linuxwolf

    five minutes over (-:

  156. MattJ

    :)

  157. linuxwolf goes off to next meeting … which is probably already over

  158. Kev

    Yeah, sorry.

  159. linuxwolf

    no, it's perfectly fine

  160. Kev

    Exactly 30 minutes, but I needed to be poked to start.

  161. linuxwolf

    fine with me anyway, I've already told the others I'm likely to miss on Wednesdays (-:

  162. Kev

    MattJ: MAM. We're almost certain to have someone working on it in Swift for GSoC - so a) Where's the spec and b) How's Prosody's support?

  163. MattJ

    a) the spec is either the one currently on matthewwild.co.uk, or the one I haven't finished yet to submit

  164. MattJ

    b) Prosody's support is for the one on matthewwild.co.uk, and I believe it is mostly complete, just inefficient (fine for developing with, not for production)

  165. MattJ

    Zash would know more, since he wrote it

  166. Kev

    How different is what you're submitting for XEPpification from what's on mw.co.uk?

  167. MattJ

    Not very

  168. MattJ pulls up matthewwild.co.uk's version

  169. Kev

    OK, cool.

  170. Kev

    We have to expect some change from Experimental->Draft anyway.

  171. MattJ

    Right, so everything there will work

  172. MattJ

    But I'm adding querying by id too

  173. Kev

    But if you'd rewritten it, targetting that doc wouldn't be much use.

  174. MattJ

    No, the basics there won't change

  175. Kev

    "Querying by id" -> "Get me everything since ID X"?

  176. MattJ

    Yes

  177. Kev

    Cool.

  178. MattJ

    I think I talked to you about this once upon a time

  179. Kev

    Yes, I said we needed it.

  180. MattJ

    I was trying to avoid giving messages unique ids

  181. MattJ

    But I agree it's a necessary evil

  182. MattJ

    One interesting open question...

  183. MattJ

    Is how the client knows the id of messages it sends

  184. MattJ

    We either solve it so that it does, or it downloads duplicates

  185. MattJ

    at some point

  186. MattJ

    I think this is most important for clients that have dual local-remote history implementations

  187. MattJ

    and since all clients with history do local at the moment... it's important to them

  188. MattJ

    Everything else is simple, but I can't dream up a clean solution to this

  189. MattJ

    I was going to leave it open when I submit the spec, and see if anyone on the list has bright ideas

  190. Kev

    MattJ: Well, there are beautiful solutions for it that you don't want to consider :)

  191. MattJ

    Such as?

  192. Kev

    Like just redownloading all messages and ignoring your 'natural' history in favour of what's in MAM.

  193. MattJ

    Sure, that's one solution (no solution at all)

  194. MattJ

    It just feels like a waste of time to me to re-download messages it already has

  195. Kev

    Of course it is :)

  196. Kev

    But, I think we can solve this.

  197. Kev

    Or, rather, not knowing the id of your sent messages isn't the biggest problem here.

  198. MattJ

    What do you think is?

  199. Kev

    I'm assuming that the case we're trying to solve here is "I want to use MAM to get a full local history cache, given that I have already received all my this-resource messages"

  200. MattJ

    Indeed

  201. Kev

    And in this case, the big problem is 'filling in' the same history period for which you have a partial history.

  202. MattJ

    Mmm

  203. Kev

    Now, possibly the thing to do here is to always use carbons.

  204. Kev

    That is "If you are going to want a complete local history cache, always use carbons.".

  205. Kev

    That way you can sync from $LAST_ID -> $NOW when you log in, get carbons of everything from then on, and record the last received message id when you log out. Or even have the server send you the last MAM id for a message you've received when you close the stream.

  206. MattJ

    Indeed

  207. MattJ

    What about messages you send? Which carbons doesn't provide atm afaik

  208. Kev

    It should.

  209. Kev

    linuxwolf: Ping.

  210. Kev

    There's not so much point using carbons to get half of every conversation other than the one for the current session :)

  211. linuxwolf

    ??

  212. linuxwolf

    IIRC, the original thinking was if a specific resource is sending the message, it doesn't need a carbon of it

  213. linuxwolf

    how about I change § 3.6 to: Carbons clients want to have copies of messages going in /both/ directions for all resources associated with the same user. To that end, messages of type "chat" that are sent from any resource MUST be copied by the sending server to each of the resources that have enabled Carbons.

  214. Kev

    Do you currently get a copy of every message sent from another resource?

  215. Kev

    I thought $OTHER_MATT was implying that you didn't (I thought you did).

  216. Kev

    This is what you need. I don't think you need a duplication of your own outgoings.

  217. MattJ

    No, sorry, I wasn't implying that

  218. MattJ

    When I said "you" I meant the current resource

  219. Kev

    I don't think you need that, do you?

  220. linuxwolf

    the current text forwards a <sent/> carbon to every resource OTHER THAN the sending resource

  221. linuxwolf

    I can see going either way

  222. Kev

    linuxwolf: Thanks - that's all I think is needed, but Matt might know otherwise.

  223. linuxwolf

    forwarding to all sending resources makes it more MUC-like

  224. Kev

    It does. It also potentially makes it *slightly* nicer for local history caching.

  225. linuxwolf

    that's what I was thinking

  226. Kev

    But it's pretty slight, I think, and the bandwidth cost isn't insignificant.

  227. linuxwolf

    true

  228. linuxwolf

    then again, if you're mobile, you're radio is already at full because you just sent something (-:

  229. linuxwolf

    and if compression is enabled, how much is that cost really?

  230. linuxwolf

    just playing devil's advocate here … I'm fine with it as-is, or changing it to every … I don't really care

  231. Kev

    Right.

  232. Kev

    I'm happy with as-is, at the moment. I don't think it hurts MAM.

  233. Kev

    I think having a MAM server send you a "Your last received id is" when you log out would probably be a better solution, if a solution is needed (I'm not convinced it is).

  234. MattJ

    So you think clients should drop local history?

  235. Kev

    I don't think I'm saying that.

  236. Kev

    Although I could be wrong :)

  237. Kev

    I think I'm saying that MAM+Carbons is sufficient already to get a complete local cache.

  238. Kev

    Or even a local cache where it is incomplete, but the gaps are known.

  239. Kev

    (And thus could be filled when the user wants history)