Concerns were raised to the Mailing list about this opening up a downgrade attack vector, which I didn’t have time to look into yet, so on-list
jonas’
is anyone still here?
Zash
Yeeeees
jonas’
or did muc.xmpp.org fail for everyone except me?
Zash
I guess that reflects reality, but on-list.
Guus
You're live.
Ge0rG
MUC reflection is a thing, isn't it?
jonas’
Ge0rG, doesn’t help if there’s a very non-equally-distributed s2s failure :)
Ge0rG
I'm on-list as well, but I'd appreciate input from people who are into server development and into SASL and dialback things.
Kevhas left
jonas’
I expect Zash to cover all that, except maybe being "into" dialback things.
Zash
> I guess that reflects reality
Zash
Except Dialback is very rare these days given the success of Let's Encrypt
pep.
LE doing dialback for us :-°
jonas’
no comment from daniel?
Zash
Yeah, Dialback is equivalent ish to the verification LE does, so I don't think it's a downgrade attack
daniel
Sorry changing trains just no. Will read backlog in a second
jonas’
if we assume that LE is being used
Ge0rG
both fail under the assumption that the attacker is on the network path between you and the other party, right?
jonas’
so this certainly looks odd, because it mandates dialback if and only if the hostname did not match
jonas’
Ge0rG, though LE uses multiple vantage points to make that harder
daniel
Or at least they will be?
jonas’
maybe
daniel
I'm not sure it has been deployed yet
jonas’
implementations details of LE are not of concern for the spec anyways
dwdhas joined
Ge0rG
We got a dwd
dwd
Hello, sorry I'm late, got pulled into something last minute.
dwd
Are we still on 4a)?
Ge0rG
dwd: yes
dwd
OK, good.
Ge0rG
jonas’: I think we need to move that to the list
jonas’
dwd, no worries
jonas’
Ge0rG, I tend to agree
Ge0rG
maybe explicitly ask for input from server developers.
jonas’
it would be nice if someone else could start a thread right away, because (a) my MUA is a mess right now and (b) I’ll be heading out right after this meeting
Zash
Wasn't there a thread already?
Zash
Can continue there
dwd
So I'm comfortably +1 on this, but really because whether an initiator decides to move onto Dialback (and whether a Receiver accepts it) isn't predicated on whether SASL EXTERNAL failed or not.
dwd
Also i looked for a thread on this earlier and couldn't spot one - what's the subject line?
jonas’
I wasn’ta ware of a thread either
Zash
Subject: Re: [Standards] XMPP Council Agenda 2020-06-24
jonas’
ah.
jonas’
well
Zash
Well. Not a separate thread.
dwd
Ah-ha.
Ge0rG
it was just a single mail asking whether that's a downgrade attack
jonas’
I suppose a separate thread would be more discoverable.
dwd
It's not a downgrade attack, but I'll explain there in more detail.
jonas’
do we have a volunteer to start the thread or shall we delegate that to the editors?
Ge0rG
it would be great if somebody who's both a server developer and in Council could do that.
dwd
I'll start a thread.
Zash
dwd: But is it best practice?
jonas’
dwd, thank you :)
Ge0rG
dwd: +1
dwd
Zash, I think whether it's "best" is largely irrelevant.
jonas’
can we move on?
Zash
sure
jonas’
or do you think there’s need to discuss this here?
jonas’
taking that as a no
dwd
Let's move on.
jonas’
5) Outstanding Votes
jonas’
I incorrectly accused dwd for having one
jonas’
which I take the full blame for, I misread the doomsheet
Ge0rG
I've sent a -1 for PR #961
jonas’
thanks
jonas’
so we’re clear
jonas’
6) Date of Next
Ge0rG
I hope I'm out of old debt now, any only owe a vote for today's 4a
jonas’
Ge0rG, you are
Ge0rG
+1W WFM
Kevhas joined
daniel
+1w wfm
jonas’
+1w most-likely wfm, #thankscorona
Zash
+1
dwd
+1WFM.
jonas’
excellent
jonas’
7) AOB
jonas’
dwd, any news on the video call? :)
dwd
Ah, yes. I remember that now.
jonas’
I’ll take that as a "no" :)
dwd
I have scribbled.
jonas’
I can’t properly interpret that verb
dwd
I have written something down to remind myself I need to arrange a time, URL, etc for a Council video chat.