- Lance has left
- m&m has joined
- m&m has left
- m&m has joined
- m&m has left
- Lance has left
- m&m has joined
- m&m has left
- Tobias has joined
- Neustradamus has joined
- Lance has left
- Tobias has joined
- Tobias has joined
-
Kev
The only thing I have on the agenda for today is the list of purgatory XEPs Peter mailed 'round.
- jabberjocke has joined
- m&m has joined
- Neustradamus has joined
- Tobias has left
- Tobias has joined
- jabberjocke has left
- m&m has left
- m&m has joined
- ralphm has joined
- ralphm waves
- m&m has left
-
Kev
Hi Ralph.
- Tobias has joined
-
Kev
10mins:)
- Tobias has left
-
ralphm
Kev: I always aim for :00, so I'm surely on time
-
Kev
Seems reasonable.
- Tobias has joined
-
Tobias
Jtalk's muc is still a bit buggy
- psaintan has joined
-
psaintan
greetings
-
Tobias
Guten tag
-
ralphm
Goede dag!
-
psaintan
:)
-
Tobias
Interestingly jtalk lists all my multi session nicks
-
psaintan
m&m is in the JSON WG meeting all day and won't join us here
-
Kev
IIt is time.
-
Kev
psaintan: He said last week he couldn't make it - although I was hoping he'd suggest a better time.
-
Kev
1) Roll call.
-
Kev
M&M sends apologies.
-
Kev
I'm here.
-
ralphm
here
- psaintan is here via his @cisco.com JID
-
Tobias
Here
-
ralphm
psaintan: fancy
- Kev pokes MattJ
- Tobias has left
-
Kev
Tobias leaves in disgust.
-
psaintan
:)
-
ralphm
Still one left, I guess
- Tobias has joined
-
Tobias
Still there
-
Kev
2) Stuff stuck at proposed.
-
Kev
XEP-0152: Reachability Addresses XEP-0220: Server Dialback XEP-0288: Bidirectional Server-to-Server Connections XEP-0297: Stanza Forwarding XEP-0301: In-Band Real Time Text
-
Kev
Does it seem sensible to vote on them going to Draft next week?
- MattJ has joined
-
Kev
I need to review the 301 diff (Please, everyone else, do feel free to do a review and comment!).
-
psaintan
fippo sent me some editorial nits about 220 and I will process those ASAP
-
Kev
I keep hoping to have a chance to do a cleanroom implementation of 220, but then I don't get around to it, so that's no reason to delay.
-
psaintan
we can ping fippo about 288
-
psaintan
yeah, dialback has been stable for a long time :-)
-
Tobias
Bidi not though
-
Kev
So, everyone ok with just voting on the lot next week?
-
MattJ
Yes, I think so
-
ralphm
just out of curiousity, apart from GTalk connectivity, how much do we still need dialback?
-
Tobias
Fine with me
-
MattJ
I have some small modifications to make to 297, so I'll push those this week
-
Kev
ralphm: We might not want to use the in-dialback proof method, but I think we still want to keep the dialback protocol stuff around.
-
psaintan
ralphm: well, POSH and DNA and such actually use dialback for signalling, about piggybacking so I think we'll keep it around for a while longer :)
-
Kev
At least from what I understand.
-
psaintan
right
-
Kev
OK. So that's all on the agenda for a vote next week.
-
MattJ
psaintan, can they function without dialback at the moment?
-
Kev
Did I miss anything for this week?
-
Kev
ProtoXEPs or whatever.
-
ralphm
I knew about all this, of course, but still wondering if the landscape has changed enough to do everything with regular tls/sasl
-
psaintan
MattJ: see http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ and provide feedback on the xmpp@ietf.org list :-)
-
psaintan
ralphm: for initial connections, yes
-
psaintan
ralphm: for piggybacked domain pairs, unclear
- ralphm nods
-
Kev
Shoving SASL exchanges into the middle of a stream would be somewhat unorthodox.
-
Kev
OK.
-
Kev
3) Date of next.
-
ralphm
psaintan: is this a point of attention in the XMPP WG
-
Kev
SBTSBC?
-
ralphm
?
-
psaintan
although (AOB) I would like to start pushing the communityforward to fully encrypted hops
-
psaintan
ralphm: the DNA stuff is
-
ralphm
right
-
Kev
I'll take that as a 'yes' to SBTSBC, then.
-
Kev
4) AOB
-
psaintan
Kev: yes :-)
-
ralphm
Kev: yes
-
Tobias
Yes on the time
-
Kev
So, SEX day. Please, for the love of all that's good, let's not call it SEX day.
-
MattJ
Kev, you could just have the whole meeting yourself :P
-
MattJ
+1
-
MattJ
and I'm replying to that post...
-
psaintan
huh?
-
psaintan
oh
-
Kev
I realise as geeks we have the humour capabilities of a three-year-old, but still.
-
MattJ
psaintan, see Simon's latest email
-
psaintan
I started reading that but hadn't gotten that far
-
psaintan
agreed on the naming!
-
Tobias
Hehe
-
Kev
psaintan: Do we know what 'fully encrypted' means?
-
psaintan
Kev: TLS anyway
-
psaintan
channel encryption
-
psaintan
with cert checking
-
Kev
Cert checking...for what?
-
Kev
CAs?
-
psaintan
RFC 6125 stuff
-
ralphm
Kev: I guess we're done here?
- Tobias has left
-
Kev
Yeah, I'm happy enough that this is a tangent.
-
Kev
Thanks all.
-
psaintan
:)
- Kev bangs the gavel
- Tobias has joined
-
Kev
psaintan: So, this means that any server not automatically fetching certs and doing OCSP and stuff should stop federating, right?
-
Kev
s/certs/CRLs/
-
Tobias
Thanks
-
psaintan
well, no one does OCSP as I understand it
-
Kev
That was somewhat my point.
-
psaintan
Kev: I know you're tired and overworked, so please just s/fully// and we'll move on
-
Tobias
Peter, and crls?
-
Kev
I wasn't being entirely belligerent. If we want to have a big 'turn off encryption and partition the network' event, I think we should have a reasonable handle on what's involved.
-
psaintan
well, sure, people should do all that stuff, but at least doing RFC 6125 checks is a good idea
-
Tobias
What servers do crl?
-
Kev
Tobias: Fully, without having to fetch manually? Just M-Link of which I'm aware.
-
Kev
And even then, only by configuration I think.
-
psaintan
I'm not necessarily in favor of a flag day, but it would be a step in the right direction if several of the larger nodes required TLS and proper certs (and we had helpful HOWTOs in place so that admins of other servers could get up to speed)
-
Tobias
Yup. 3rd party fetching
-
Kev
I'd suggest we just go with 'require unchecked TLS' first.
-
Kev
And this does effectively blackhole gmail, which isn't something I'm entirely comfortable with..
-
psaintan
CRLs and OCSP are two solutions to a problem that might be solved in other ways (e.g., shorter-lived certificates), but that's a wider discussion
-
psaintan
maybe we wait until Google turns off federation
-
Tobias
Peter, nobody knows when that is though
-
psaintan
sure
-
psaintan
so perhaps we need to take the lead
-
psaintan
we don't necessarily make it permanent at first
-
psaintan
we can experiment as people did with IPv6
-
Kev
I don't think anyone (significant)'s tried promoting IPv6 by turning off v4 though, have they?
-
psaintan
heh
-
Kev
I'm not anti-TLS-on-S2S, although I realise my "Let's think this through" sounds a bit like it.
-
psaintan
I'm in favor of c2s first of all
-
psaintan
that's an easier step to take
-
Kev
That one is much easier.
-
psaintan
yes
-
psaintan
and will help us isolate some bugs, fix some software out there in the world, etc.
-
Kev
I'd be happy with someone coming up with a list of steps on the road to secure XMPP, and it probably looks a bit like: No PLAIN/78 without TLS No C2S without TLS
-
Kev
Require SCRAM-SHA1-PLUS with TLS where possible.
-
Kev
(e.g. it's not possible while backing on to AD or whatever)
- Tobias has left
-
Kev
I'd be very happy to sort out (1) on j.org, finally.
-
Kev
Then plan to do (2) in a couple of months.
-
Kev
I think (3) might be a little optimistic.
-
psaintan
that seems eminently reasonable
- Tobias has joined
-
psaintan
I wonder which server products have configuration bits for these things
-
psaintan
and whether we need to figure that out for the more widely-deployed servers
-
MattJ
Prosody already disallows PLAIN (or legacy auth, if enabled) on unencrypted connections - and most clients do anyway
-
Kev
I think it'd be good to sort out a roadmap to security.
-
psaintan
Kev: yes
-
Kev
And then we can let the vendors have this, so we know that software can do it.
-
MattJ
and as a config option to enforce TLS✎ -
MattJ
and has a config option to enforce TLS ✏
-
Kev
And then gently encourage admins to move towards it.
-
psaintan
we might have carrots and we might have sticks
-
Kev
MattJ: M-Link has a config option to re-enable PLAIN without TLS, and we've got that switched on on jabber.org
-
psaintan
xmpp.net might have a role to play here in reporting and self-testing
-
ralphm
Kev: why?
-
psaintan
I do wonder if prosody-users and buddycloud-dev are the right venues for the discussion :-)
-
Kev
ralphm: Because when we initially deployed, there were so many users that suddenly couldn't connect.
-
Kev
Maybe, three years on, this wouldn't be the case.
-
ralphm
Kev: surely you have statistics on this?
-
psaintan
Kev: yeah, a lot of those users were on old OS X releases IIRC
-
Kev
ralphm: Could generate stats, but I don't have any to hand.
-
ralphm
oh
-
Kev
But we can't generate stats or whether those users have just configured their client in a stupid way, or don't have another option in their client for some reason.
-
Kev
But anyway.
-
Tobias
<3 stats
-
Kev
I'm entirely in favour of just making an announcement once the migration dust has settled and disabling this option on jabber.org
-
psaintan
Kev: yes, I've been waiting to bring up such issues until after the migration
-
Kev
And then making another announcement and after a couple of months requiring TLS.
-
psaintan
yes
-
Kev
I'd /like/ to then require SCRAM-SHA1-PLUS, but that's a bit trickier :)
-
psaintan
:)
-
psaintan
indeed
-
psaintan
one step at a time
-
Kev
Although at least Tobias and I are using clients that'd work fine with. Anyone else? :)
-
psaintan
I think we all agree on the goal, but we need to be prepared and think through the various issues that will arise
-
Kev
psaintan: 'tis all I ask.
-
psaintan
Kev: I use Swift for stpeter@jabber.org but in Psi at the moment
-
Tobias
psi's just got scram without plus
-
psaintan
and flipping multiple switches at once is a recipe for not understanding what's causing various problems
-
Kev
SCRAM without PLUS isn't much better than DIGEST-MD5 :)
- Zash has joined
-
Tobias
Kev, interop wise it does
-
Kev
Or, at least, it's the -PLUS magic that's relevant to the TLS conversation.
-
Tobias
Sure
- Tobias has left
- psaintan reviews various emails about XEP-0220 so we can advance it
-
ralphm
Kev: everything is much better than DIGEST-MD5 in my humble opinion
-
ralphm
even DIGEST
-
ralphm
eh
-
ralphm
PLAIN
-
psaintan
heh
-
Kev
In terms of interop, yes.
-
Kev
In security properties, maybe not.
-
ralphm
and in terms of bat shit crazy omgbbq who the hell thought this up
-
Kev
Then DIGEST-MD5 > *, yes.
-
Kev
Although I think this is more just a case of 'things have got better, we're better at doing this now'.
-
ralphm
Kev: no
- Tobias has joined
- Tobias has left
-
ralphm
Kev: i.e. your colleagues (among others) were already discussing all the bad things in DIGEST-MD5 over a decade ago over in the sasl wg
- Tobias has left
- Lance has joined
- Tobias has joined
- Tobias has left
- Neustradamus has joined
-
Kev
I wonder if at any point Simon's going to move this discussion somewhere a bit more appropriate than prosody-users.
-
Zash
Heh
-
MattJ
Yes, operators@ would have been more appropriate I think :)
-
MattJ
It's a question of deployment, not implementation
-
Kev
operators@, or if he wants it to be XSF-endorsed, members@
-
MattJ
(at this point I think all popular implementations are capable of what we're discussing)
-
Kev
Could be.
-
Kev
Although I think doing some self-signed CA leap-of-faith-with-dialback stuff would possibly be better than public-CA-based PKI stuff.
-
Kev
Depending what the things people are concerned about are.
- m&m has joined
-
psaintan
OK, I've incorporated fippo's feedback on 220
-
psaintan
but yeah, agreed on operators@
-
psaintan
brb
- Neustradamus has joined
- Zash has left
- Zash has joined
- Tobias has joined
- bear has left
- bear has joined
- psaintan has left
- m&m has left
- Zash has joined
- Lance has left
- m&m has joined
- m&m has left
- m&m has joined
- m&m has left
- Lance has left
- m&m has joined
- m&m has left
- Tobias has joined
- Neustradamus has joined
- Lance has left
- Tobias has joined
- Tobias has joined
- jabberjocke has joined
- m&m has joined
- Neustradamus has joined
- Tobias has left
- Tobias has joined
- jabberjocke has left
- m&m has left
- m&m has joined
- ralphm has joined
- m&m has left
- Tobias has joined
- Tobias has left
- Tobias has joined
- psaintan has joined
- Tobias has left
- Tobias has joined
- MattJ has joined
- Tobias has left
- Tobias has joined
- Tobias has left
- Tobias has joined
- Zash has joined
- Tobias has left
- Tobias has joined
- Tobias has left
- Tobias has left
- Lance has joined
- Tobias has joined
- Tobias has left
- Neustradamus has joined
- m&m has joined
- Neustradamus has joined
- Zash has left
- Zash has joined
- Tobias has joined
- bear has left
- bear has joined
- psaintan has left
- m&m has left
- Zash has joined