-
Daniel
Quick reminder of our meeting today. Our last meeting if I'm not mistaken.
-
Daniel
There are pending votes on channel binding types and Forums. Both pass if you ignore them. (they both have the minimum 3 +1s)
-
Daniel
However I usually feel a bit better if we don't pass things through default and instead actually review them
-
Kev
I think they only pass if the voting period ends before the end of the Council term, or theyโre ended by everyone voted, donโt they?
-
Kev
That is - I think votes that are open at the end of Council term get reset, although maybe Iโm misremembering.
-
Daniel
Strictly speaking you are correct. The forum ones has its voting period end and would default to pass
-
Daniel
Channel binding would be brought into the next council period
-
Daniel
In any case. Just read the damn thing ๐
-
singpolyma
I think I'm only pending on forum. I guess my concerns are not enough to -1 if others are ok with it so I will +0
-
moparisthebest
> Move 'XEP-0440: SASL Channel-Binding Type Capability' to stable I'm assuming we can still update security considerations after moving to stable... but sure seems like this should explicitly mention that tls-unique isn't secure since it defeats the entire purpose of channel binding ↺
-
moparisthebest
do we have evidence that tls-server-end-point is secure over TLS 1.2 without the extended master secret? If not also seems like it should err on the side of caution and just say channel binding shouldn't be done at all outside of TLS 1.3
-
singpolyma
Secure is hardly a binary state. But certainly it should say that any channel bindings are defined elsewhere and their security considerations must be considered
-
moparisthebest
> Secure is hardly a binary state sure, but when the *entire purpose* of the XEP is to secure against MITM I think it should mention things that don't accomplish that in any way, like tls-unique
-
moparisthebest
an implementor shouldn't need to additionally read and understand the entire history of TLS to implement this so it actually accomplishes the single goal of this XEP
-
moparisthebest
this isn't like a theoretical problem, we have *all* current implementations of this XEP that don't do it securely, and think they are protecting against MITM when they aren't at all
-
moparisthebest
and it's not a legacy thing either, extended master secret https://datatracker.ietf.org/doc/html/rfc7627 was published in 2015, it was known without a doubt tls-unique was broken before that, yet 440 wasn't published until 2020 and we are sitting here with all these vulnerable implementations
-
Daniel
It's time
-
Daniel
1) roll call
-
goffi
.o/
-
larma
๐
-
dan.caseley
Here!
-
dan.caseley
But only just. Did a conference. Caught the germs.
-
goffi
dan.caseley, get well soon.
-
dan.caseley
Thanks :)
-
daniel
2) Agenda bashing no agenda for our last meeting
-
daniel
3) Editor updates
-
daniel
STABLE: XEP-0485 (PubSub Server Information) as per our vote last week
-
daniel
UPDATED: XEP-0492 (Chat notification settings)
-
daniel
4) Items for voting
-
daniel
none
-
daniel
5) Pending votes
-
daniel
i have larma on forums and larma and goffi on channel binding i believe...
-
goffi
+1 on channel binding
-
larma
+1 on both
-
daniel
6) Date of next
-
daniel
technically none. just in case some of us get re-elected i suggest +1w
-
larma
+1w should wfm
-
goffi
+1w if re-elected wfm
-
daniel
7) AOB
-
daniel
no AOB, i assume
-
daniel
8) Close
-
daniel
Thank you all
-
goffi
Thanks Daniel, thanks all.
-
dan.caseley
Thanks everyone! That felt like a good year.
-
dan.caseley
And thanks Daniel for shepherding!
๐ 2 -
singpolyma
> And thanks Daniel for shepherding! ๐ ↺
-
Guus
A heartfelt thank-you for your expertise! Next yearโs Council candidates promise the exact same level of excellence. Verbatim.
๐ 2 -
emus
Thank you Daniel!