XMPP Council - 2020-05-07

  1. pep. SamWhited, reading https://www.ietf.org/id/draft-whited-kitten-password-storage-02.html, why the use of PRECIS? That seems like convenience and rather opposed to security
  2. pep. Do I understand correctly that the goal is to canonicalize unicode?
  3. pep. Do I understand correctly that the goal is to normalize unicode?
  4. pep. Not saying there is no advantages to do normalization, just curious if it's aligned with the goals of the RFC. It is indeed titled "best practices" and not "most secure" (or similar), but then security is mentioned everywhere else in the document
  5. pep. Also I'm genuinely curious how not doing normalization for passwords can lead to security issues
  6. pep. The rest is probably too technical for me, sorry :P
  7. pep. I'm no crypto person
  8. pep. -> s/ a users identity\./ a user's identity\./
  9. SamWhited No worries about reviewing the hashes and stuff, thanks for the suggestion and correction! You're right that PRECIS isn't *really* much of a security mechanism, but it stops users from locking themselves out of their accounts so I think it's a best practice. You may be right, I'm not sure if it belongs in this document or not. Hopefully there will be discussion on list about that
  10. pep. Maybe it just wasn't obvious enough to me reading the section that this was a convenience thing. Well.. I can see how locking yourself out can lead to security issues maybe :x
  11. pep. Writing that down on paper (even though I'm sure they'd do it anyway), calling some phone number/sending an email to get your password back and giving your old password to somebody, etc. etc.
  12. SamWhited Locking yourself out in the sense that if you type your password for the first time on a keyboard that spits out a full-width character, or a non-ASCII space, but all your keyboard layouts spit out ASCII space or the half-width version of the character, you're stuck :)
  13. pep. I haven't been in this case, even though I've lived in a CJK country for a few years :p
  14. pep. But then I'm certainly not your target
  15. SamWhited Yah, I don't know how common it actually is
  16. SamWhited Fixed the typo on my personal copy (not yet uploaded to the IETF site until I get a few more changes in); thanks! https://rfcs.samwhited.com/draft-whited-kitten-password-storage-03.html
  17. pep. :)
  18. Wojtek has left
  19. daniel has left
  20. daniel has joined
  21. stpeter has left
  22. stpeter has joined
  23. stpeter has left
  24. daniel has left
  25. daniel has joined
  26. stpeter has joined
  27. stpeter has left
  28. SouL has joined
  29. Tobias has joined
  30. stpeter has joined
  31. stpeter has left
  32. sonny has joined
  33. sonny has left
  34. sonny has joined
  35. daniel has left
  36. daniel has joined
  37. Zash We use SASLprep now so seems a natural step.
  38. bear has left
  39. Zash has left
  40. Zash has joined
  41. stpeter has joined
  42. stpeter has left
  43. vanitasvitae has left
  44. vanitasvitae has joined
  45. larma has left
  46. larma has joined
  47. bear has joined
  48. sonny has left
  49. sonny has joined
  50. sonny has left
  51. sonny has joined
  52. dwd SamWhited, Simon Josefsson is absolutely the best person to talk about channel bindings, indeed.
  53. Zash Do they into XMPP?
  54. dwd I don't actually know.
  55. debacle has joined
  56. debacle has left
  57. debacle has joined
  58. kusoneko has left
  59. kusoneko has joined
  60. robertooo has joined
  61. stpeter has joined
  62. stpeter has left
  63. sonny has left
  64. sonny has joined
  65. sonny has left
  66. sonny has joined
  67. stpeter has joined
  68. debacle has left
  69. sonny has left
  70. sonny has joined
  71. sonny has left
  72. sonny has joined
  73. stpeter has left
  74. kusoneko has left
  75. kusoneko has joined
  76. kusoneko has left
  77. kusoneko has joined
  78. debacle has joined
  79. MattJ Simon was on XMPP at some point in the past, and ran his own server
  80. MattJ No idea if that's still the case
  81. SamWhited Oh nifty, in his reply he mentioned that it would be nice to have a method for negotiating CB at some point but not to worry about it yet and focus on the new I-D, but I went ahead and sent him the protoxep and said we'd love his feedback if he wanted to join the list, maybe he'll be more inclined to do so then.
  82. stpeter has joined
  83. stpeter has left
  84. debacle has left
  85. sonny has left
  86. sonny has joined
  87. sonny has left
  88. sonny has joined
  89. debacle has joined
  90. stpeter has joined
  91. daniel has left
  92. daniel has joined
  93. Holger has left
  94. bear has left
  95. debacle has left
  96. bear has joined
  97. kusoneko has left
  98. kusoneko has joined
  99. sonny has left
  100. sonny has joined
  101. kusoneko has left
  102. kusoneko has joined
  103. Wojtek has joined
  104. kusoneko has left
  105. kusoneko has joined
  106. kusoneko has left
  107. kusoneko has joined
  108. Holger has joined
  109. debacle has joined
  110. sonny has left
  111. sonny has joined
  112. sonny has left
  113. sonny has joined
  114. Kev has joined
  115. daniel has left
  116. daniel has joined
  117. kusoneko has left
  118. kusoneko has joined
  119. kusoneko has left
  120. kusoneko has joined
  121. Kev has left
  122. Kev has joined
  123. Tobias has left
  124. robertooo has left
  125. robertooo has joined
  126. daniel has left
  127. daniel has joined
  128. daniel has left
  129. Zash has left
  130. daniel has joined
  131. daniel has left
  132. daniel has joined
  133. sonny has left
  134. sonny has joined
  135. sonny has left
  136. sonny has joined