-
linuxwolf
meeting in one more hour (ish)?
-
Kev
Nope, now.
-
Kev
I suck.
-
Kev
Thanks for the poke
-
linuxwolf
heh
-
linuxwolf
no worries
- linuxwolf is still not sure which timezone he's hin
-
Kev
I'm in GSoC time.
-
linuxwolf
(-:
-
Kev
But anyway.
-
Kev
1) Roll call.
-
linuxwolf
presente
-
Kev
MattJ / Tobias: Highlight.
-
Tobias
present
-
MattJ
Boo
-
MattJ
gift
-
linuxwolf
offering?
-
Kev
Righty
-
Kev
2) XMPP WG report.
-
Kev
linuxwolf: You fancy giving one? :)
-
linuxwolf
sure
-
linuxwolf
The WG meeting in Paris, one week back
-
linuxwolf
major topics are end-to-end encryption, domain-name-assertions, and i18n
-
Tobias
roughly the same topics as 5 years ago it seems :)
-
linuxwolf
there is a draft for a new proposal to e2e, which puts key management into a protocol, and is trying to re-use the work from JOSE (JSON Object Signing and Encrypting)
-
linuxwolf
Tobias: basically (-:
-
MattJ
I finally know what JOSE is
-
linuxwolf
(-:
-
Kev
linuxwolf: So long as it doesn't need us to rewrite XMPP in JSON.
-
linuxwolf
no!
-
linuxwolf
the proposal has been received favorable reviews to date
-
linuxwolf
the crypto bits are encoded with some sprinkling of JSON, but the XMPP stuff is still XML
-
Kev
OK.
-
linuxwolf
it was either that or ASN.1
-
linuxwolf
no one born after 1970 wants to use ASN.1
-
Tobias
wheeee..ASN.1 :D
-
MattJ
:)
-
Kev
Right.
-
linuxwolf
if you're interested: http://tools.ietf.org/html/draft-miller-xmpp-e2e
-
linuxwolf
there'll be an update to that sometime this month (-:
-
Kev
Ta. I'll have a read at some point (not right now).
-
linuxwolf
DNA ...
-
linuxwolf
so, after floundering about with non-discussion ...
-
linuxwolf
… an approach is starting to form around a layered approach
-
linuxwolf
1) determine alternate trust algorithms for certificates
-
linuxwolf
2) use stream:stream headers and/or dialback for asserting names (then use the afore mentioned prooftypes)
-
linuxwolf
there's been discussion for two alternatives over PKIX: https/.well-known and DANE
-
linuxwolf
DANE is a DNS-based protocol, essentially you get the target cert, signed indirectly with DNSSEC
-
linuxwolf
the TLSA RR is signed, but the cert can be almost anything: self-signed, ca-signed, trust-anchor, etc
-
Tobias
linuxwolf, alternatives? can't PKIX, https/.well-known and DANE co-exist?
-
linuxwolf
they can
-
Tobias
and HTTPS's S is based on what, PKIX?
-
linuxwolf
and a server (or client) will likely need to implement all three
-
linuxwolf
the HTTPS/.well-known is simply the target certificate (or maybe also a trust-anchor) at a specific path through HTTPS
-
linuxwolf
the trust established if you can trust the HTTPS connection
-
Tobias
PKIX and DANE are likely to be implemented in TLS libraries in future, right?
-
Kev
Tobias: HTTPS:/.well-known is basically "Yes, we're not solving any problems, but we're saying they're not *our* problems, so that's fine".
-
linuxwolf
in all cases, the target cert would be the hosting services cert (e.g. talk.goole.com or webexconnect.com) but obtained from the target domain (e.g. example.com)
-
linuxwolf
PKIX is already implemented in OpenSSL
-
Tobias
linuxwolf, right...wrongly phrased
-
linuxwolf
DANE is likely to be implemented in some DNS libraries
-
linuxwolf
but just to get the cert
-
Kev
linuxwolf: *Some* of PKIX is in OpenSSL, right?
-
linuxwolf
you'll then feed that into, say, OpenSSL to complete validation
-
Kev
PKIX also includes revocation, doesn't it?
-
linuxwolf
Kev: it depends on what version of OpenSSL we're talking about
-
linuxwolf
it does
-
Kev
And OpenSSL doesn't do revocation checks for you.
-
linuxwolf
it can do some
-
Kev
Does it?
-
Tobias
k...and the HTTPS way will probably always need to implemented directly by XMPP client/server devs
-
linuxwolf
1.0 can process a CRL chain, if it's local
-
linuxwolf
Tobias: most likely
-
linuxwolf
as I see it: HTTPS would be implemented "now", and DANE would come later
-
Tobias
linuxwolf, is DANE so far away *now*?
-
linuxwolf
long-term, DANE is probably the better technical approach, but it's not exactly deployable yet
-
linuxwolf
it depends on who you ask
-
Tobias
yeah...i've asked my ISP and he said ask again in a month ^^
-
linuxwolf
there are more and more DNS resolvers and nameservers supporting DNSSEC, but only for the common TLDs
-
Tobias
right
-
linuxwolf
outside of .com/org/net, it's not available
-
linuxwolf
DANE has not finished IESG Last Call, so there's a lot of people holding off on implementations
-
Tobias
but requireing HTTPS support for XMPP clients/servers
-
linuxwolf
/shrug
-
linuxwolf
HTTPS implementations are everywhere, and if a server supports BOSH, it already supports HTTP
-
linuxwolf
adding HTTPS is not *that* much more work, unless you did everything by hand
-
Tobias
but then again there are a lot (maybe even well tested) ready to use implementations for it
-
linuxwolf
exactly
-
MattJ
If a server supports BOSH it supports being a server, not a client
-
linuxwolf
plus, a lot of clients end up with HTTP libraries for things like updating and grabbing images and whatnot
-
Kev
I think it's a much more nefarious problem than that.
-
MattJ
but *shrug*, Prosody does both already
-
linuxwolf
MattJ: true, but like I said there are lots and lots of HTTP libraries around
-
Kev
It's one thing "supporting HTTP", it's quite another getting this into the trust checking for the XMPP session.
-
Kev
But anyway.
-
MattJ
Is it really?
-
linuxwolf
Kev: well, gotta get there somehow
-
MattJ
Harder than anything else?
-
MattJ
The trust checking is going to change anyway
-
linuxwolf
right
-
Kev
MattJ: Harder than PKIX, which is already required, yeah :)
-
linuxwolf
PKIX isn't good enough already, so *something* needs to be done
-
MattJ
Right
-
Tobias
exactly
-
Kev
So, do you connect to the XMPP server, ask for the cert, then see it's not right, so go on to check over HTTPS?
-
linuxwolf
both DANE and HTTPS are essentially "does this cert match", without the need to go through the nitty-gritty subject
-
Kev
If both certs are 'bad', but behind the HTTPS cert is the .well-known for the XMPP server, do you present the HTTP stuff to the user and ask them to trust the HTTPS? etc.
-
linuxwolf
Kev: that's roughly what I was thinking
-
Kev
I'm not saying these aren't resolvable problems.
-
Kev
I *am* saying this is a lot more unpleasant at the edges than "Well, there are plenty of HTTPS libraries, so we just use those" makes it sound.
-
MattJ
Sure
-
linuxwolf
Kev: it's a detail that does need to get worked out, but frankly the HTTP people have done a lot more with it than anyone else
-
Kev
Right, probably.
-
Kev
So, moving on :)
-
linuxwolf
anyway, comments on the xmpp@ietf.org mailing list are most welcome
-
linuxwolf
the last one is i18n
-
linuxwolf
Precis is finishing up its definition of the framework, and stpeter has a draft for 6122bis based on that
-
linuxwolf
but, there are a lot of dragons to work out, and we're suggesting some sub-profiles for specific things, like MUC nicknames
-
linuxwolf
so a resourcepart would accept just about anything, but usage with MUC would be more restrictive
-
linuxwolf
some discussion on how one might go about enforcing and discovering such rules (which are seen as locale-specific) was thought about
-
linuxwolf
a lot of 6122bis is waiting on precis, which is progressing … albeit slower than others would like
-
linuxwolf
and I think that about sums up the actual meeting
-
MattJ
The "others" who don't like the speed aren't very vocal in helping resolve issues (afaics)
-
linuxwolf
there is a proposal from a group in Japan for alternatives to DNS SRV, and they'd like feedback on it
-
MattJ
Not that the issues are easy, but that's why it's slow
-
linuxwolf
MattJ: essentially
-
linuxwolf
well, that, and it's really a cultural problem we're attempting to solve with technology
-
linuxwolf
so there may not actually be a right way to do this anyway
-
MattJ
Indeed
-
linuxwolf
the precis meeting ended with "maybe we need a new area directorate for internationalization"
-
Tobias
heh
-
linuxwolf
yeah
-
linuxwolf
oh, one last point on DNA: there is no current draft yet, but there's three of us working on one, once we get back to work from IETF (-:
-
linuxwolf
so be on the lookout for that, if you care about it
-
Kev
Lovely.
-
Kev
So that's Paris covered?
-
linuxwolf
most people, smarter people, take time off after these
-
linuxwolf
yes
-
Kev
3) Date of next meeting - same time next week?
-
Tobias
wfm
-
linuxwolf
wfm
-
MattJ
wfm
-
Kev
4) Request from chair
-
Kev
Can someone else minute this please?
-
linuxwolf
will do
-
Kev
Thanks verym uch.
-
Kev
5) AOB?
-
MattJ
None here
-
linuxwolf
I'll have them out by tomorrow
-
linuxwolf
nothing more from me
-
Tobias
neither here
-
Kev
Marvellous.
-
Kev
Thanks all.
- Kev meeting over gavel bangs.
-
linuxwolf
five minutes over (-:
-
MattJ
:)
- linuxwolf goes off to next meeting … which is probably already over
-
Kev
Yeah, sorry.
-
linuxwolf
no, it's perfectly fine
-
Kev
Exactly 30 minutes, but I needed to be poked to start.
-
linuxwolf
fine with me anyway, I've already told the others I'm likely to miss on Wednesdays (-:
-
Kev
MattJ: MAM. We're almost certain to have someone working on it in Swift for GSoC - so a) Where's the spec and b) How's Prosody's support?
-
MattJ
a) the spec is either the one currently on matthewwild.co.uk, or the one I haven't finished yet to submit
-
MattJ
b) Prosody's support is for the one on matthewwild.co.uk, and I believe it is mostly complete, just inefficient (fine for developing with, not for production)
-
MattJ
Zash would know more, since he wrote it
-
Kev
How different is what you're submitting for XEPpification from what's on mw.co.uk?
-
MattJ
Not very
- MattJ pulls up matthewwild.co.uk's version
-
Kev
OK, cool.
-
Kev
We have to expect some change from Experimental->Draft anyway.
-
MattJ
Right, so everything there will work
-
MattJ
But I'm adding querying by id too
-
Kev
But if you'd rewritten it, targetting that doc wouldn't be much use.
-
MattJ
No, the basics there won't change
-
Kev
"Querying by id" -> "Get me everything since ID X"?
-
MattJ
Yes
-
Kev
Cool.
-
MattJ
I think I talked to you about this once upon a time
-
Kev
Yes, I said we needed it.
-
MattJ
I was trying to avoid giving messages unique ids
-
MattJ
But I agree it's a necessary evil
-
MattJ
One interesting open question...
-
MattJ
Is how the client knows the id of messages it sends
-
MattJ
We either solve it so that it does, or it downloads duplicates
-
MattJ
at some point
-
MattJ
I think this is most important for clients that have dual local-remote history implementations
-
MattJ
and since all clients with history do local at the moment... it's important to them
-
MattJ
Everything else is simple, but I can't dream up a clean solution to this
-
MattJ
I was going to leave it open when I submit the spec, and see if anyone on the list has bright ideas
-
Kev
MattJ: Well, there are beautiful solutions for it that you don't want to consider :)
-
MattJ
Such as?
-
Kev
Like just redownloading all messages and ignoring your 'natural' history in favour of what's in MAM.
-
MattJ
Sure, that's one solution (no solution at all)
-
MattJ
It just feels like a waste of time to me to re-download messages it already has
-
Kev
Of course it is :)
-
Kev
But, I think we can solve this.
-
Kev
Or, rather, not knowing the id of your sent messages isn't the biggest problem here.
-
MattJ
What do you think is?
-
Kev
I'm assuming that the case we're trying to solve here is "I want to use MAM to get a full local history cache, given that I have already received all my this-resource messages"
-
MattJ
Indeed
-
Kev
And in this case, the big problem is 'filling in' the same history period for which you have a partial history.
-
MattJ
Mmm
-
Kev
Now, possibly the thing to do here is to always use carbons.
-
Kev
That is "If you are going to want a complete local history cache, always use carbons.".
-
Kev
That way you can sync from $LAST_ID -> $NOW when you log in, get carbons of everything from then on, and record the last received message id when you log out. Or even have the server send you the last MAM id for a message you've received when you close the stream.
-
MattJ
Indeed
-
MattJ
What about messages you send? Which carbons doesn't provide atm afaik
-
Kev
It should.
-
Kev
linuxwolf: Ping.
-
Kev
There's not so much point using carbons to get half of every conversation other than the one for the current session :)
-
linuxwolf
??
-
linuxwolf
IIRC, the original thinking was if a specific resource is sending the message, it doesn't need a carbon of it
-
linuxwolf
how about I change § 3.6 to: Carbons clients want to have copies of messages going in /both/ directions for all resources associated with the same user. To that end, messages of type "chat" that are sent from any resource MUST be copied by the sending server to each of the resources that have enabled Carbons.
-
Kev
Do you currently get a copy of every message sent from another resource?
-
Kev
I thought $OTHER_MATT was implying that you didn't (I thought you did).
-
Kev
This is what you need. I don't think you need a duplication of your own outgoings.
-
MattJ
No, sorry, I wasn't implying that
-
MattJ
When I said "you" I meant the current resource
-
Kev
I don't think you need that, do you?
-
linuxwolf
the current text forwards a <sent/> carbon to every resource OTHER THAN the sending resource
-
linuxwolf
I can see going either way
-
Kev
linuxwolf: Thanks - that's all I think is needed, but Matt might know otherwise.
-
linuxwolf
forwarding to all sending resources makes it more MUC-like
-
Kev
It does. It also potentially makes it *slightly* nicer for local history caching.
-
linuxwolf
that's what I was thinking
-
Kev
But it's pretty slight, I think, and the bandwidth cost isn't insignificant.
-
linuxwolf
true
-
linuxwolf
then again, if you're mobile, you're radio is already at full because you just sent something (-:
-
linuxwolf
and if compression is enabled, how much is that cost really?
-
linuxwolf
just playing devil's advocate here … I'm fine with it as-is, or changing it to every … I don't really care
-
Kev
Right.
-
Kev
I'm happy with as-is, at the moment. I don't think it hurts MAM.
-
Kev
I think having a MAM server send you a "Your last received id is" when you log out would probably be a better solution, if a solution is needed (I'm not convinced it is).
-
MattJ
So you think clients should drop local history?
-
Kev
I don't think I'm saying that.
-
Kev
Although I could be wrong :)
-
Kev
I think I'm saying that MAM+Carbons is sufficient already to get a complete local cache.
-
Kev
Or even a local cache where it is incomplete, but the gaps are known.
-
Kev
(And thus could be filled when the user wants history)