-
Link Mauve
Hi, I’m ill today so I won’t be here, good night. \o_
-
Tobias
get well
-
Tobias
hi
-
Tobias
1) Roll call
-
SamWhited
Here
-
daniel
Hi
-
Tobias
Link Mauve is excused as he's ill
-
Tobias
have pinged dave in another channel
-
Tobias
2) Minute taker
-
Tobias
I can take minutes if there's no other volunteer
-
daniel
Please do. I'm traveling. Will do the minutes when I get back
-
Tobias
alright
-
Tobias
3) General reminder to vote on things, see pending votes column in trello https://trello.com/b/ww7zWMlI/xmpp-council-agenda
-
SamWhited
Jingle Encrypted Transports was apparently already published, but it's in that column
-
SamWhited
as was the color one.
-
daniel
Maybe Because the two weeks ran out?
-
SamWhited
Could be, I'm not actually sure which is wrong.
-
daniel
I don't think I voted on either. But I'm fine with it
-
Tobias
yeah
-
Tobias
4) Vote on advancing XEP-0387: XMPP Compliance Suites 2017
-
Tobias
to Draft that is
-
Tobias
I'm +1
-
daniel
+1
-
SamWhited
As the author I'm +0
-
Tobias
alright. I suppose the rest will vote on list
-
Tobias
5) Consider deprecation of Message Archiving ( https://xmpp.org/extensions/xep-0136.html )
-
Kev
I don't think that's in LC, is it? I don't remember seeing an LC recently, at least.
-
Kev
(compliance)
-
dwd
Mea culpa, meeting was overrunning and I didn't notice the time.
-
SamWhited
oops, yes, that was supposed to be for issuing a LC, not for advancing to draft
-
daniel
I figured as much
-
Tobias
yeah
-
dwd
I was just coming to that conclusion. I'm fine for a last call.
-
Tobias
LC for advancing it to Draft
-
Tobias
SamWhited, why do you want to deprecate XEP-136?
-
SamWhited
RE Message Archiving: we've discussed this before, but I'd like to complain about it again. I was having a conversation with someone the other day that was implementing a server and they said something about having trouble with message archiving. I mentioned that most people seem to use MAM now and that they should probably do that instead and got the usual "but archiving is the recommended one, why would I do MAM?"
-
daniel
I think we should advance mam
-
daniel
Before we deprecate something else
-
dwd
SamWhited, I agree with the sentiment, but let's LC MAM first.
-
daniel
I'm entirely with you on the confusion problem
-
SamWhited
I think we either need to advance MAM and deprecate archiving, or if that's not ready we need to go ahead and deprecate archiving to prevent confusion and just only have an experimental history XEP.
-
Tobias
yeah...I'd prefer advancing MAM first too
-
SamWhited
Since I've heard that "more work on MAM is coming soon" for at least a year, I'm not sure that it's ready to advance, but I would be all for issuing a LC and finding out.
-
daniel
I don't think we should deprecate before there is something else
-
Kev
I don't like deprecating in favour of something with lower advancement, but in this case I think the case is fairly compelling.
-
SamWhited
I disagree, I think we should absolutely deprecate if the community has standardized on something else. Even if that thing is experimental, it can still be the recommendation of this council.
-
dwd
SamWhited, Again, I agree with the sentiment, but I'd want to try pretty hard to nail '313 before deprecating without a replacement.
-
Kev
It's not like there's nothing else, just that the something else isn't Draft.
-
Kev
Whether we continue tweaking MAM or not, we know it's already vastly better than 136.
-
SamWhited
But I do agree that issuign a LC for MAM seems like a reasonable step, maybe I'm wrong about it needing more work.
-
Ge0rG
does the Council want to encourage 136 implementations until MAM is finished?
-
Kev
Ge0rG: Hopefully not :)
-
daniel
Though I admit that the mam situation is a bit problematic. (lots of people use it but it's not really being worked on)
-
SamWhited
I hope not too
-
daniel
But we should fix that situation
-
Tobias
yeah
-
Ge0rG
Kev: in that case deprecating it now might be good?
-
dwd
Ge0rG, I take your point, but I would prefer a push on MAM *first*. If that doesn't work, let's revisit.
-
SamWhited
That is a compromise I can live with. In that case, I would like us to vote on a LC for MAM if possible.
-
Kev
I can probably arrange for a 313 author to request an LC if you want ...
-
SamWhited
This is the second or third time I've run into this specific XEP as a source of confusion, so I'm rather eager to find a solution
-
SamWhited
Or we can just issue one, no?
-
Kev
SamWhited: It was a flippancy, Matt and I are the authors.
-
dwd
Kev, Are you so doing? I think you need to ask an Editor, if you can find one...
-
daniel
SamWhited: does that work without the author requesting it?
-
daniel
Or is that a good idea without the author requesting it
-
SamWhited
daniel: It seems like a good way to encourage authors to submit the changes they've said they have almost ready for a year or more :)
-
Kev
I don't think Council needs the author to request it, although doing so when the author thinks it isn't ready might be a poor idea.
-
Kev
Anyway, issue the LC. No harm will come, as long as you don't then advance it prematurely :)
-
daniel
Let issue a LC. Maybe that encourages some discussion. Or the author to submit more changes and thus cancel lc
-
Kev
(Or issue the vote for an LC, as clearly I wouldn't tell Council how to vote)
-
Ge0rG
Kev: if 136 is not an alternative to 313, deprecating 136 is independent of pushing forward 313, right?
-
Tobias
sure...fine with issuing a LC
-
SamWhited
Thanks all. +1 to LC from me (obviously)
-
Kev
Ge0rG: I'm not Council, and Council don't want to deprecate 136 until 313 is LCd, so ... path of least resistance.
-
daniel
+1 for the LC
-
dwd
I would be happy to vote on an LC for 313 now. (And will vote for, FWIW).
-
dwd
Oh. So yeah, -1.
-
dwd
Argh.
-
dwd
+1. I meant +1.
-
Tobias
ok..to make it clear in the history let's start fresh
-
Tobias
6) Vote on issuing a LC on MAM
-
Tobias
+1
-
dwd
+1
-
SamWhited
+1
-
daniel
+1
-
Tobias
thanks
-
SamWhited
I'll add a card; thanks all.
-
Tobias
7) Deprecate XHTML-IM
-
daniel
Lol
-
daniel
Link Mauve loves that xep
-
dwd
Where did that one spring from?
-
Tobias
SamWhited
-
Tobias
he wants us to discuss this yearly
-
Tobias
:)
-
dwd
Oh. Has it been discussed on the list yearly, too?
-
daniel
I think that needs list discussion
-
Tobias
yeah
-
daniel
Even though I personally hate that xep and would like to deprecate it I think it does have a lot of fans
-
dwd
Yeah. Last time it was discussed on the list was back in December.
-
SamWhited
Okay, back to this
-
Ge0rG
I love XHTML-IM.
-
daniel
Or we should maybe do some 'markup in im' xep
-
SamWhited
Similar to the MAM thing, I was playing around with another web client a few days ago and found, yet again, an implementation of XHTML-IM that simply dumped HTML into the DOM and made it trivial to implement XSS's
-
dwd
daniel, Down. Mark*down*.
-
daniel
Since markup seems to be what cool IMs do theses days
-
SamWhited
I have never found an XHTML-IM implementation that didn't have this issue (or rather, some didn't, but they did have it originally and it had been fixed)
-
daniel
*that *
-
SamWhited
Literally "never", that is not me making a grand statement for the purpose of making a point.
-
Zash
Big warning in <blink> and red letters at the top of the document?
-
SamWhited
I'm sure *someone* has done this right the first time, but it seems that the default is that the spec encourages people to do it wrong. By leaving it as a recommendation I think we are encouraging security issues.
-
daniel
SamWhited: yes I'm personally all in favor for the same arguments. I think we should even do the 'what ever is worse than deprecated'
-
Ge0rG
SamWhited: all modern applications are full of security issues.
-
daniel
But it does need list discussion
-
SamWhited
Even if we're not comfortable deprecating Message Archiving until there is a replacement, I think this is a security problem and therefore should absolutely be obsoleted (not just deprecated) as soon as possible.
-
daniel
Especially if you want to get Link Mauve on board
-
Tobias
yeah, SamWhited, do you mind writing a mail to standard about the plan of deprecating it and we'll see what comes out of that?
-
daniel
He *loves* xhtml
-
SamWhited
Sounds good, I'll write something up for the list.
-
Tobias
ta
-
SamWhited
Thanks for humoring me.
-
Tobias
7) Date of next
-
Tobias
same time next week
-
daniel
Wfm
-
Tobias
great
-
SamWhited
WFM
-
Tobias
8) AOB
-
daniel
None from me
-
dwd
Just a heads-up that I'll be writing up Surevine's TOTP approach into a XEP or two shortly.
-
Tobias
TOTP?
-
SamWhited
Excellent!
-
SamWhited
Tobias: time based multi-factor auth (Google Authenticator, Yubico Auth, etc.)
-
Tobias
ahh
-
Tobias
great
-
Tobias
no other AOB
- Tobias bangs the gavel
-
Tobias
thanks everybody
-
SamWhited
I can't wait to see that; I'd love to be able to use my yubikey as a second factor in Conversations one of these days
-
Ge0rG
I'd be happy with per-device passwords already.
-
jonasw
I can’t believe people would simply dump an XHTML-IM tree in anything capable of doing something bad with that.
-
dwd
Ge0rG, That has to be included.
-
jonasw
that makes me sad.
-
dwd
Ge0rG, Otherwise you end up having to hit the TOTP device every time you switch networks.
-
Ge0rG
jonasw: people go for convenience first.
-
jonasw
Ge0rG, insert rage here
-
Ge0rG
dwd: right. There needs to be some sensible trade-off here.
-
moparisthebest
yubikey might have some value there
-
moparisthebest
but otherwise, all apps are on the phone
-
moparisthebest
so to login to conversations you need your phone anyway, and you are back to 1 factor no?
-
Ge0rG
moparisthebest: the trick is to have a _second_ phone for 2FA!
-
moparisthebest
ah so user friendly Ge0rG :P
-
dwd
moparisthebest, You're right, but the 2FA control is on the account, so this is a generally recurring problem.
-
Ge0rG
we really need some notion of device identity.
-
dwd
moparisthebest, I can recommend a watch for this, BTW. :-)
-
moparisthebest
Ge0rG, you can already see your other online devices right?
-
Ge0rG
moparisthebest: yes and no. Let me write a short mail to standards@.
-
moparisthebest
I'm still undecided on the whole thing, I think it's fine for people that want it, I don't think I'd want it
-
moparisthebest
I'm not positive it's that much better than just long random passwords for most threats
-
moparisthebest
so you've got:
-
dwd
moparisthebest, No, it is.
-
moparisthebest
1. password leaks, yahoo hacks, etc - long random unique per account password and 2fa protect you the same
-
moparisthebest
2. NSA is after you - cracking long random password is harder than hacking your phone and stealing your 2fa stuff
-
moparisthebest
3. Kidnapped - same
-
moparisthebest
what am I missing? I guess if some random hacks your computer and not your phone? in which case 2fa is an advantage
-
SamWhited
The point is that they work together; 1. doesn't actually make sense, it's operating under the assumption that they are two orthogonal things that attempt to solve the same problems. You have to use both together, 2fa is not a replacement for long random unique-per-account passwords.
-
SamWhited
Same with two. The point is that they have to crack a long random password *and* steal your 2fa stuff. Doesn't matter which one is harder for any given actor.
-
moparisthebest
but for #1 it doesn't make it any harder with 2fa
-
dwd
moparisthebest, Yes, it does.
-
moparisthebest
#2 the NSA can just do both, *maybe* it makes it a bit harder, fair
-
moparisthebest
and I mean who are we kidding, the NSA just hacks your server, it doesn't need your credentials, so that was a dumb example on my part :)
-
SamWhited
It does if your bank was storing your password in plain text. Or if it is random, long, and hard to break but your goal is to slow them down even further even if they do break it.
-
dwd
SamWhited, Or if you get phished.
-
moparisthebest
banks are one of the few places I think 2fa makes sense
-
SamWhited
dwd: indeed
-
moparisthebest
too bad none of them implement it :'(
-
SamWhited
It's also almost not worth using the NSA as an example. Most peoples threat model doesn't include a state level adversary.
-
moparisthebest
yep I agree
-
SamWhited
ah yah, I missed your last statement on that.
-
dwd
moparisthebest, There *is* a problem in that many TOTP implementations store the TOTP secret in the clear, and that's bad. It's difficult (especially in XMPP) to do otherwise, though our implementation at least stores it encrypted in the database.
-
moparisthebest
if you do, you should just stay off the internet really :)
-
moparisthebest
I guess in my mind TOTP makes more sense for things you log into, do your business, and log out of
-
moparisthebest
and less for something you plan on staying logged into forever
-
moparisthebest
especially from your phone that doubles as your totp generator
-
dwd
moparisthebest, Sure, which is why any time you'd save your password in the client, you need a way to avoid the TOTP.
-
moparisthebest
that sounds like a good system then dwd :)
-
dwd
moparisthebest, And amazing, we have already implemented most of it. Got to replace the crappy per-client password type thing with a better one I've designed, but it's certainly proved the concept.
-
dwd
moparisthebest, The really painful thing isn't merely using TOTP on the phone, BTW. The really painful thing is signing up to TOTP on the phone.
-
moparisthebest
yea actually that would be a giant pain
-
moparisthebest
back to Ge0rG 's 2 phone thing :)
-
dwd
moparisthebest, But yay, because I don't have a solution there at all.
-
moparisthebest
what about 2 mirrors?
-
moparisthebest
oh, front-facing camera and 1 mirror
-
moparisthebest
problem solved!
-
dwd
moparisthebest, I suspect that trying to open a totp URI on Android might well actually do the right thing.
-
moparisthebest
that's the way, if any totp apps support that
-
moparisthebest
I find redhat's the best https://freeotp.github.io/
-
Tobias
Minutes are out.
-
Ge0rG
moparisthebest: https://mail.jabber.org/pipermail/standards/2017-October/033544.html btw
-
pep.
Wow deprecate xhtml-im. Didn't see that coming.
-
SamWhited
I try to keep you on your toes :)
-
pep.
People are dumb, sure, help them fix their client. Otherwise you can do whatever other markup you want with it. You want markdown, her xhtml-im! You want rST, use xhtml-im
-
pep.
use* dumb android