moparisthebestI figured I should show up for this council meeting since you'll be discussing advancing XEP-0368, I'll just stay quiet unless someone highlights me :)
Tobiasseems it's about time
Tobias1) Roll call
Dave CridlandHere, but not be for long.
Dave Cridland(Daughter has a doctor's appt)
TobiasLink Mauve, SamWhited?
Tobiasmaybe they'll join later
Tobias2) Minute taker
TobiasI offer to do it, if nobody else wants
Link MauveI’m here.
danieli was just about to say that it's my turn again. but I can do it next time
danieloh no actually I can't because i'm probably going to be on a train to brussels
Tobiasok..last week we didn't clearly indicate that we wanted to vote on things..so here explitily again
Tobias3) Voting to Advance XEP-0333 to Last Call
TobiasDave Cridland, still there?
Dave CridlandYes, sorry. +1.
Tobias4) Voting to Advance XEP-0233 to Last Call
Dave CridlandStill confused as to why Mili Verma's not listed as an author, mind.
Link MauveOn list too, I started reading the referenced specifications but I still don’t grasp all of the mechanisms there.
SamWhited+1; Mind you, I don't feel that I have enough knowledge of Kerberos to know if this is a valid way to do things, or if it's used anywhere or if there have been deployment issues, etc. but I figure that's what LC is for.
Dave CridlandSamWhited, Mili's edits basically were in response to developing this on WIndows and UNIX.
Dave CridlandSamWhited, So I think it's well past ready.
Tobias5) Voting on moving XEP-0368 forward (issuing LC)
Tobias6) Short update on XEP-0300 fixing
TobiasI've updated XEP-0300 https://github.com/xsf/xeps/commit/2f21fbef22d484d1651596aeb279b3386398c183 would be nice if people could give a quick overview sometime if they see issues with that, if not we can issue an LC to move that to draft in a couple weeks
Tobias7) Voting on moving 2010 compliance suites to obsolete to prevent confusion while we work on the 2017 ones
SamWhitedfor background, I plan on writing the 2017 ones on the flight to Brussels and withdrawing the 2016 ones
Link MauveI’ve read it earlier, I was wondering whether making sha3-256 and blake2b-256 mandatory is that sensible before every crypto library is well updated to support them.
Link MauveRe: 6)
Link MauveTobias, +1.
Link MauveTobias, also obsoleting the 2012 ones.
SamWhitedOh are there 2012 ones too? Yah, +1 to obsoleting both of them.
Dave CridlandI don't really care, but I'm not sure it's worth the effort.
Dave CridlandBut absolutely not a hill for me to die on.
TobiasLink Mauve, something for the next meeting to vote on then...don't want the topics/voting issues to change mid-meeting, especially not mid-voting
Tobias8) Date of next
TobiasDoes next week work for everyone, or do we want to skip a week?
Link MauveI won’t be here next week, I’ll be on the train to Brussels.
Dave CridlandI'm not here next week.
danieli have to check my train schedule again. but i'm fairly certain i'm on a train at 1600Z
SamWhitedWe could have a small impromptu meeting a little bit later in the day next week
Dave CridlandI'll be driving to Bristol. To take a plane to Amsterdam. To take a train to Brussels.
SamWhitedOr on the 2nd
Tobiasright, so it'll probably make sense to skip a week
Dave CridlandHow many of us are in Brussels on Thursday?
danieleither move it back a couple of hours or skip it
danielThursdays yes. also wednesday
TobiasDave Cridland, i guess everyone
Dave CridlandWe have had a Council meeting in the Summit before, could be fun to do again - might get someone else to take minutes.
Link MauveFinally! \o/
SamWhitedFind a pub and rope someone in to take minutes with the promise that I'll buy them a beer :)
Tobiassure..so sometime thursdays next week?
Tobiasgreat...even if we fail to arrange it, there'll still be a week afterwards :)
Tobiasdoesn't look like it
Tobiasbangs the gavel
Link MauveThank you.
SamWhitedTobias: RE 0300, I had the same thought as Link Mauve — how wide spread is sha3? I know the Go standard library has an implementation, but it tends to be ahead of other things. Eg. does Java have one? I don't think Rust does yet (not that that's very relavant, but it's the only other thing I really pay attention too)
TobiasLink Mauve, what environments do you know of with bad sha3 support?
Link MauveNone actually, but probably older openssl don’t have it yet.
Tobiasfor anything C/C++ related it's probably a little issue as there's ready to use reference impementation code for sha3 and blake
SamWhitedDoes stable Debian OpenSSL?
ZashThere's code, but it's not exposed
Tobiasrecent openssl has blake, they should have sha3 too, not?
SamWhitedOh hey, I lied, Rust has sha3 in the standard library already.
Tobiasbouncycastle also has SHA3
SamWhitedor rather, it has an implementation already.
Link MauveOpenSSL apparently still doesn’t have it, according to https://github.com/openssl/openssl/issues/439
SamWhitedPersonally I think it would be good to leave it as a SHOULD at least until OpenSSL has it.
TobiasOracle Java seems to have it since, earlier this month https://bugs.openjdk.java.net/browse/JDK-8004078 ^^
ZashThere's a keccak1600.c in the sources, however it's not used by anything
Link Mauvedaniel, any information about Android?
danielLink Mauve, not from the top of my head
SamWhitedIf bouncy castle has it would it not work on Android?
danielSamWhited, if bc has it everything is fine
Link MauveFyi, Python got both sha3 and blake2 only in 3.6.
Tobiasalso the idea was having multiple algorithms set to MUST, so implementations strive to support as many of the MUST ones as possible...the it's more likely that there is matching support between two entities
Link MauveI’m not against it, I was just wondering whether it wouldn’t be a bit too early.
TobiasLink Mauve, considering how rarely we seem to have updated XEP-0300 the idea was to make it more future proof :) but happy either way...but we should at least aggree on it before voting on it to LC
SamWhitedHmm, I could go either way now. Future proof sounds good; I wouldn't want to block either way.
Link MauveSame, I’m fine with LC as is.
ZashIsn't there some RFC / BCP you can point to for recommendations, so we don't need to update it as best practices change?
Tobiasgreat...also added a table for the textual names of the new hashes...IANA is a bit slow there, as their table was last updated 2006
TobiasZash, i don't know of one
TobiasZash, I imagine the TLS spec has hash recommendations
TobiasZash, then again, RFCs don't get updated..only replaced by other RFCs