-
daniel
I want to put http upload on today's agenda. There has been some criticism on the use of normative language which I believe I have addressed now. Before that there was also some criticism on handling headers. This has also been resolved. So I would either like a vote on advancing it since it's technically still in last call or alternatively a vote on restarting last call
-
daniel
What ever people feel is more appropriate
-
Kev
Pre-empting the meeting somewhat, but of TOS I'll say this in advance: It seems like an abuse of adhocs.
-
Zash
Motivation?
-
Zash
Or, elaboration maybe?
-
Kev
A normal adhoc implementation can't deal with it, you need a tos implementation, and the tos server has to reject anyone trying to adhoc it without having the "I'm not really an adhoc I'm a tos" support flag.
-
jonasw
Kev, I can’t defend my case at the moment, I’m at work and about to migrate to commuting, unfortunately
-
Kev
So if you don't want any of the features of adhocs, putting it in an adhoc seems unhelpful.
-
Kev
You could have all the same properties in its own namespace for simpler implementation and less confusion.
-
jonasw
the tos server does not have to reject everyone without the tos flag
-
jonasw
it MAY do that if it needs to
-
jonasw
but I tend to agree that we might want to drop that flag out of this version; there’s nothing in the XEP as it stands which warrants that
-
jonasw
and client-side, you can do fine with a normal, compliant Ad-Hoc implementation, because Ad-Hoc commands may have multiple payloads (and the form is intentionally at the place where it is so that it takes precedence on unknowing clients)
-
sam
I've been thinking about this one and I think I agree. I'm not sure why we need to encode TOS into protocol at all. Just having a standard way to get the text seems like enough. Eg. a standard pubsub node or HTTP location from which it can be fetched.
-
Kev
I'm not intending to block it going to Experimental like this, but I would object to Draft like this.
-
Kev
This really feels like forcing a square adhoc into a round hole.
-
jonasw
Kev, as it stands (minus the "I am tos" flag in the initial request), it /does/ work as Ad-Hoc flow, doesn’t it?
-
Kev
Other than the extra payload? Possibly. But that "I am TOS" flag changes things.
-
Kev
And that you're doing it before authentication.
-
Kev
When iqs don't really work properly, because you don't have a bound resource, etc.
-
jonasw
Kev, the extra payload is ok as per my reading of '50
-
jonasw
we have precedence for pre-bind IQs actually (bind itself being one)
-
Kev
The only one, I think, and that's generally felt to be a mistake by anyone who's had to code pre-auth flows in a server, I think.
-
Zash
Yes
-
Kev
Or pre-stream-is-running, I guess, as it's not pre-auth.
-
Zash
We finally got rid of that in Prosody, so the bind isn't treated as a stanza with exceptions in the "is this session allowed to send stanzas?" code
-
Zash
Now it's a stream element that just happens to be in the jabber:client namespace
-
Kev
'Tis time, 'tis time.
-
Kev
1) Roll call
-
daniel
hi
-
Kev
SamWhited is expecting to be here. I don't remember abotu Ge0rG.
-
Ge0rG
I've delayed my trip home despite an empty phone battery to until after the meeting
-
Ge0rG
I'm here.
-
Kev
SamWhited?
-
Kev
Maybe not.
-
Kev
2) Isn't it nice that Tedd Sterr does the minutes?
-
Kev
Yes.
-
Kev
3) Proposed XMPP Extension: Terms of Services Title: Terms of Services Abstract: This specification provides an in-band, unauthenticated way to request the Terms of Service of an XMPP service. URL: https://xmpp.org/extensions/inbox/tos.html
-
Kev
I don't like this much, but am not blocking it.
-
daniel
same. but i'll give me official vote on list
-
Ge0rG
I think it's great to have a machine-readable way to link the ToS; not sure about the extended features
-
Kev
(That 'not blocking' is +1 for me, BTW, although I wouldn't expect it to go to Draft like this)
-
Kev
Ge0rG: What is that in terms of a position?
-
Ge0rG
+1
-
Kev
4) Date of next SBTSBC?
-
Ge0rG
Wow, that was quick.
-
Kev
I'll take that as a 'yes' :)
-
Kev
5) AOB?
-
Ge0rG
I still can't guarantee my general availability for this time slot. It looks like it has mostly worked so far, so +1
-
SamWhited
Sorry, I am here, now I'm not getting any notifications for this room
-
daniel
yes i would like to continue with http upload
-
Kev
SamWhited: Just the one item for you to vote on.
-
daniel
either make another last call
-
daniel
or just vote on it
-
Kev
daniel: LCs are cheap, so shall we do that?
-
SamWhited
*nods* I'll be on list anyways
-
daniel
there is a small PR pending
-
Kev
..so shall we do that after the small PR? :)
-
Ge0rG
I'm still not lucky about the custom headers.
-
Ge0rG
but my lack of luckiness won't be progress blocking
-
daniel
yeah why note. i was hopeing to speed things up; but why bother; it has been months anyway
-
daniel
so yeah i'll just bring it up next week
-
Kev
daniel: I think that's a reason for making a clean cut with a new LC, but can be talked out of it.
-
Kev
daniel: Or just ask the Editors to send an LC mail once your patch is merged?
-
daniel
> : daniel: Or just ask the Editors to send an LC mail once your patch is merged? yes that was the idea
-
daniel
if council is ok with that
-
Kev
Ok, cool.
-
Kev
AOAOB?
-
daniel
none from me
- Kev gangs the bavel
-
Kev
Thanks all.
-
Ge0rG
Thanks Kev, thanks all
-
Ge0rG
Thanks Tedd.
-
moparisthebest
so as SamWhited already said, why not just https://XMPP_DOMAIN/.well-known/xmpp-tos.txt ?
-
moparisthebest
certainly seems easier than hacking pre-auth support into servers and clients securely
- Zash cries over mandatory records at domain apex
-
Ge0rG
- because not every XMPP_DOMAIN is a web server - because you usually want more markup than .txt
-
moparisthebest
Zash, but which would make you cry harder
-
daniel
> so as SamWhited already said, why not just https://XMPP_DOMAIN/.well-known/xmpp-tos.txt ? Uh I like that actually. But the anti oob people will *hate* that
-
moparisthebest
Ge0rG, like what?
-
moparisthebest
(more markup I mean)
-
Ge0rG
moparisthebest: like HTML.
-
daniel
Ge0rG: but the xep hosts the tos on http anyway, no?
-
Ge0rG
daniel: but not always on XMPP_DOMAIN
-
Kev
FWIW, I'm not a fan of forcing all this stuff about registration and TOS and etc. etc. over XMPP. ISTM that a lot of the time it's much better served by being out of band.
-
Ge0rG
So now I need to setup a dedicated web server with a 30x
-
moparisthebest
Ge0rG, so https://XMPP_DOMAIN/.well-known/xmpp-tos.html then?
-
daniel
Most good xmpp do probably. Because of websocket bosh discovery and stuff
-
moparisthebest
but now you gotta worry about javascript and XSS
-
Ge0rG
Kev: the result of that would be replacing IBR with a web form?
-
Kev
Ge0rG: Pretty much.
-
Ge0rG
Kev: which is... the current status quo?
-
moparisthebest
IBR is basically already replaced with a web form?
-
Kev
There are cases for autoregistration where inband might make sense, but mostly not for users' IM accounts, I think.
-
Kev
Ge0rG: More or less, I think.
-
Ge0rG
Because UX doesn't matter.
-
Zash
IBR can redirect to a web form, you can put the ToS there.
-
Ge0rG
Zash: can the web form than redirect back to a configured XMPP client?✎ -
Kev
I *do* think there's value in being able to provide a ToS banner of some sort at login, though.
-
Ge0rG
Zash: can the web form then redirect back to a configured XMPP client? ✏
-
Ge0rG
Kev: "at login" is illusive in times of always on and 0198
-
Zash
At registration would be nicest, no?
-
Ge0rG
Zash: how do you change the ToS then?
-
Zash
Or you can send a MOTD-like message
-
Kev
Ge0rG: It is, kinda.
-
Ge0rG
MOTD is as illusive as "at login"
-
Kev
Zash: Yes, but if that's out of band that's SEP.
-
moparisthebest
or the client can just check the .well-known URL
-
Ge0rG
moparisthebest: check it for what?
-
moparisthebest
whatever it wants, whenever it wants :)
-
Ge0rG
moparisthebest: how is it supposed to figure out whether the ToS have changed in any significant way? Whether user consent is required to the new ToS?
-
moparisthebest
it can't, show it to the user, done
-
moparisthebest
it's not like the user is going to read it anyway
-
moparisthebest
but they can if they wish
-
pep.
Can we seriously stop requiring http every. fking. where. Re ToS
-
daniel
And then it's up the the admin to notify existing users via message
-
moparisthebest
nope, it's already done, the battle is lost
-
Zash
Kev, what is out of band?
-
moparisthebest
is it better to invent some new complicated thing to avoid using HTTP pep. ?
-
daniel
> Can we seriously stop requiring http every. fking. where. Re ToS Told you
-
Kev
Registration.
-
pep.
moparisthebest: what's complicated
-
pep.
You ask for a document, the server gives it to you
-
moparisthebest
pep., use the correct tool for the job, you can invent some complicated XMPP extension to link to an HTTP URL, or you can use .well-known which is simple and already exists
-
Ge0rG
moparisthebest: and doesn't fulfill the required needs.
-
daniel
Fun side note stateless let's do everything over http jmap just introduced websocket support because apparently http is f*ing slow
-
Zash
ha-ha
-
pep.
When is the switch from TCP/XML to http/json planned for again
-
Zash
pep., depends on how much you wanna listen to the matrix.org ppl?
-
pep.
:)
-
moparisthebest
you know the saying, if all you have is a hammer, everything looks like a nail?
-
Zash
moparisthebest, applies in both directions
-
moparisthebest
xmpp isn't the only tool, sometimes http is more appropriate, no reason it shouldn't be used in those places
-
Ge0rG
moparisthebest: please describe how you will implement mandatory consent and ToS changes with the HTTP scheme.
-
Zash
I don't see why we shouldn't try to enable in-band pointing to a ToS.
-
Kev
Zash: No, I don't think that's fine.
-
Zash
The pointer itself can be HTTP or whatever URI/URL you want
-
moparisthebest
Ge0rG, client fetches TOS before attempting to log in, refuses to log in unless user agrees?
-
Ge0rG
moparisthebest: how does the server know if the client actually checked that?
-
moparisthebest
it can't no matter what
-
Zash
How does Let's Encrypt know anyone actually read their terms?
-
moparisthebest
yep
-
Ge0rG
let's exclude malicious clients for a moment.
-
Ge0rG
How does a server know that the client actually showed the ToS to the user?
-
moparisthebest
excluding malicious clients then it just does
-
moparisthebest
it just assumes they did, it's the best you can do
-
Ge0rG
Uhm. No.
-
Zash
Kev, I don't think I can't not follow all these double negatives.
-
pep.
You'd need to require auth on your webpage
-
moparisthebest
explain how an in-band protocol is different Ge0rG ?
-
Ge0rG
You can't because you don't know whether the client actually supports the feature. And whether the client actually succeeded in fetching the ToS (think wifi portal=
-
Kev
Zash: I'm fine with a mechanism for pointing to ToS from inband. I'm not sure the current protoXEP is the right way to do it.
-
Ge0rG
Kev: you might want to argue your points on standards@
-
moparisthebest
Ge0rG, and how is that different with an in-band approach?
-
moparisthebest
I believe both are still true
-
Ge0rG
moparisthebest: https://xmpp.org/extensions/inbox/tos.html#usecase-expired-reject-bind
-
Kev
moparisthebest: Inband you know that the client requested it because it did so over the current stream.
-
Ge0rG
the inband approach also has a (theoretically) nice way to enforce tos-before-login.
-
Zash
Kev, I can go along with that.
-
Ge0rG
so it's not "we locked you out because you didn't consent in time. Good luck without us now"
- Ge0rG goes OOB now. seeya
-
Kev
o7
-
moparisthebest
in both cases you have the client telling you the user agreed to the TOS
-
moparisthebest
and 0 guarantee any of that happened
-
Zash
Does it matter if "the client" is a browser or an xmpp client?
-
moparisthebest
I don't think so?
-
Zash
Well then
-
Zash
IIRC, in ACME, there's protocol for retrieving an pointer/URL to the terms. The client supposedly shows that to the user, then indicates acceptance by sending a hash of the terms.
-
moparisthebest
yea that's not bad
-
moparisthebest
at least you know the client actually got them
-
Kev
It seems an odd thing to trust the client to have shown something to the user because it said it did, and can prove it fetched it, but not trust the client to have shown something to the user because you remember it fetching it, and it says it did.
-
moparisthebest
maybe the server should just give the user a quiz about the TOS
-
moparisthebest
like 10 random questions from a pool of 50, and they need to get 80% correct to be able to log in
-
moparisthebest
thanks GDPR!
-
Zash
But ACME is IETF-approved prior art, which is why I'm thinking that following that might be sensible.
-
SamWhited
You don't have to confirm that the client did the correct thing, you can't do that anyways. All you can do is confirm that the client downloaded the terms; beyond that it's on them if they don't show it to the user.
-
SamWhited
I seriously doubt if it matters if you confirm that the client downloaded it vs. it downloaded it and hashed it.
-
moparisthebest
I actually implemented that quiz thing for a forum registration back in the day, it really cut down on the number of lazy idiots registering just to ask the same dumb question over and over :)
-
Kev
moparisthebest: I have implemented exactly such a thing for some obscure place (not work related, and not GDPR-related)
-
moparisthebest
small world :)
-
SamWhited
(the hash matters in ACME because it makes the server stateless and means you don't have to have a cookie lying about)
-
Kev
I'm not sure you do anyway, do you?
-
Kev
Or, rather, I'm not sure that there's a useful distinction between "Client downloads terms and then lies about the user accepting them" versus "Client doesn't download terms and then lies about the user accepting them".
-
moparisthebest
it does rule out network errors Ge0rG mentioned earlier I guess
-
SamWhited
Yah, I don't think it matters either way personally, but I can see wanting to make sure you've done all you can so that the client is liable if they it never shows them to the user.
-
SamWhited
Making sure it's downloaded just gives servers leverage to say that it was the client acting in bad faith because they had to actively try to trick us into thinking the user accepted (I suspect, not a lawyer, etc.)
-
SamWhited
Or at the very least gives us more confidence that a bug didn't cause it to skip the TOS request.
-
Kev
It suggests bad caching or whatever isn't at play, yeah.
-
Ge0rG
You folks are totally missing my point, which was that with a fixed https URL, there is no way to ensure from the server side whether the client supports and performs the ToS display game. If you are in GDPR-required-consent territory, you, as a server operator, must be able to prove that the user consented.
-
daniel
Ge0rG: so as a server operator you want to seriously exclude any client that doesn't accept the tos?
-
daniel
Or in other words. Every. Single. Client.?
-
SamWhited
If you use HTTP you have to do a checksum like Zash said if you want that.
-
Ge0rG
SamWhited: no!
-
SamWhited
Ge0rG: what do you mean?
-
Ge0rG
SamWhited: I don't want proof that the client *downloaded and hashed* the ToS, I want some kind of indicator that it displayed them to the user and the user had to click the "accept" button
-
Ge0rG
SamWhited: obvioulsy a malicious client can circumvent any kind of protocol.
-
SamWhited
Ge0rG: You can't get that no matter what, and you don't need it for GDPR.
-
Ge0rG
SamWhited: I can have a data-form with a checkbox
-
SamWhited
Which the client could just submit.
-
Ge0rG
Ge0rG> SamWhited: obvioulsy a malicious client can circumvent any kind of protocol.
-
SamWhited
It doesn't matter as long as you give the client a way to get it; you can't force the user to read it or the client to display it.
-
SamWhited
Right, so there's not much point to checking.
-
Zash
You can do things in good faith and hope for the best
-
SamWhited
Right.
-
SamWhited
At best you can make sure the client actually fetched it, then it's their problem if they don't display it.
-
Ge0rG
SamWhited: there is a substantial difference between "a 'well-defined' URL might or might not provide ToS which a client might or might not download and maybe show to the user which maybe then the user can click through" and "the user had to click a button on a form linking to the ToS"
-
SamWhited
I know, that's why I said you could just do a hash or something. That gives you the bare minimum like an HTTP site would have (eg. we know it was downloaded at least).
-
Zash
daniel, the client exclusion issue also applies to registering on conversations.im and you wanting to get an email to send invoices to. can't do that with protocol atm without excluding all clients.
-
Ge0rG
An IQ with the date/version of the ToS that were accepted is sufficient for the latter.
-
Ge0rG
And if a client doesn't advertise support for xep-tos, you need to either blackhole its comms and send a server-message with the ToS or do other hackery
-
Ge0rG
But "here is a well defined URL" doesn't let the server check whether the client supports showing ToS.
-
SamWhited
This TOS thing people want only has to be done during registration right? Presumably this isn't something you'd care to do before every login.
-
SamWhited
If so, maybe it makes more sense as an extension to https://xmpp.org/extensions/xep-0389.html
-
Ge0rG
SamWhited: except when the ToS change.
-
SamWhited
Ge0rG: then you send them a message saying the TOS changed (just like websites do with email).
-
SamWhited
Or also make it a part of sasl2; there may be some room to make the challenges overlap.
-
Ge0rG
The problem, again, is that with always-on devices the user isn't guaranteed to be in front of the device when the login happens
-
Zash
Ge0rG, they will notice if they are offline a while
-
SamWhited
Isn't that still a problem with the proposal as it stands right now?
-
SamWhited
Also, does it matter? When they pull their phone out or whatever it will have a TOS screen and they will have to accept. Or am I misunderstanding the problem?
-
Zash
Buttons-in-messages!
-
Zash
The Slack thing
-
Ge0rG
messages-in-buttons
-
Ge0rG
buttons-in-messages-in-buttons.
-
Ge0rG
SamWhited: I never claimed the current proposal is perfect. I'm just trying to define the most probable use case.
-
Ge0rG
Obviously, some server admins will just send their users a message, containing a link or the ToS as a dump, at whatever time is appropriate for the server admin, and not care that some users will be woken up by a beeping phone at 3AM
-
Zash
Perfect vs good -- FIGHT!
-
SamWhited
I think I'm just not sure what the problem is you're finding with it.
-
Ge0rG
with the current xep?
-
SamWhited
Yes, because I never suggested that you said the current proposal was perfect, so I have no idea what you're even replying to.
-
Ge0rG
I didn't even point out any issues in the current XEP.
-
SamWhited
> The problem, again, is that with…
-
SamWhited
I'm just trying to understand if you're for or against the general idea, or the specific implementation, or what
-
Ge0rG
I'm for the general idea and not against the specific implementation
-
Zash
Maybe write all this down and post to standards@?
-
Ge0rG
I'm against the idea of just defining a well-known ToS URI and consider the provlem solved
-
SamWhited
That makes sense; thanks. I'm against the current implementation and not against the general idea, I think, but still trying to work out how strongly I feel about it or whether I think it matters.
-
Kev
Ge0rG: I don't think *anyone* is for just having a .well-known and leaving it at that.
-
SamWhited
Honestly, I'm not against that.
-
Kev
If I gave the impression that I'm arguing for that I've grossly misreprented myself.
-
SamWhited
I'm not sure that it's my preferred method, but it does seem good enough.
-
Zash
As optional discovery method, maybe.
-
Kev
But I'm just not a fan of the current spec, particularly around using adhocs with bits that aren't standard adhocs, and of having adhocs inside iqs before authentication.
-
Zash
But ugh, .well-known is meh :(
-
Kev
Or before resource binding, or whatever.
-
Kev
SamWhited: It depends on good enough for what. It's good enough for letting a client find ToS, but I think the ToS XEP is trying to tell the server the user has accepted terms, which a .well-known on its own clearly doesn't.
-
Ge0rG
Kev: no, you were not the one. But there was a claim in the room that this suggestion was made by SamWhited
-
Ge0rG
Anyway, the discussion should be moved to standards@
-
Zash
+1
-
SamWhited
Kev: yah, fair, I guess we'd need some sort of notification to the server too
-
Kev
Ge0rG: Probably true.
- Kev bimbles AFK again.