jdev - 2019-12-07

  1. paul has left
  2. Daniel has left
  3. bhaveshsgupta has left
  4. bhaveshsgupta has joined
  5. Daniel has joined
  6. kikuchiyo has joined
  7. larma has left
  8. moparisthebest has left
  9. moparisthebest has joined
  10. larma has joined
  11. Daniel has left
  12. bhaveshsgupta has left
  13. bhaveshsgupta has joined
  14. Daniel has joined
  15. bhaveshsgupta has left
  16. bhaveshsgupta has joined
  17. Daniel has left
  18. bhaveshsgupta has left
  19. Zash has left
  20. Zash has joined
  21. bhaveshsgupta has joined
  22. bhaveshsgupta has left
  23. Daniel has joined
  24. Daniel has left
  25. bhaveshsgupta has joined
  26. asterix has left
  27. asterix has joined
  28. asterix has left
  29. Daniel has joined
  30. kikuchiyo has left
  31. kikuchiyo has joined
  32. Daniel has left
  33. Daniel has joined
  34. Daniel has left
  35. Daniel has joined
  36. kikuchiyo has left
  37. kikuchiyo has joined
  38. kikuchiyo has left
  39. bhaveshsgupta has left
  40. bhaveshsgupta has joined
  41. Daniel has left
  42. Daniel has joined
  43. bhaveshsgupta has left
  44. Daniel has left
  45. bhaveshsgupta has joined
  46. kikuchiyo has joined
  47. kikuchiyo has left
  48. bhaveshsgupta has left
  49. kikuchiyo has joined
  50. bhaveshsgupta has joined
  51. kikuchiyo has left
  52. bhaveshsgupta has left
  53. bhaveshsgupta has joined
  54. kikuchiyo has joined
  55. Daniel has joined
  56. paul has joined
  57. kikuchiyo has left
  58. Daniel has left
  59. Daniel has joined
  60. kikuchiyo has joined
  61. Daniel has left
  62. goffi has joined
  63. kikuchiyo has left
  64. kikuchiyo has joined
  65. Daniel has joined
  66. kikuchiyo has left
  67. lovetox has joined
  68. asterix has joined
  69. asterix has left
  70. asterix has joined
  71. bhaveshsgupta has left
  72. kikuchiyo has joined
  73. bhaveshsgupta has joined
  74. kikuchiyo has left
  75. asterix has left
  76. asterix has joined
  77. kikuchiyo has joined
  78. kikuchiyo has left
  79. bhaveshsgupta has left
  80. bhaveshsgupta has joined
  81. asterix has left
  82. asterix has joined
  83. asterix has left
  84. asterix has joined
  85. wurstsalat has joined
  86. kikuchiyo has joined
  87. asterix has left
  88. asterix has joined
  89. ralphm has left
  90. ralphm has joined
  91. debacle has joined
  92. DebXWoody has left
  93. DebXWoody has joined
  94. asterix has left
  95. asterix has joined
  96. debacle has left
  97. asterix has left
  98. asterix has joined
  99. asterix has left
  100. asterix has joined
  101. kikuchiyo has left
  102. kikuchiyo has joined
  103. bhaveshsgupta has left
  104. pulkomandy has left
  105. pulkomandy has joined
  106. bhaveshsgupta has joined
  107. asterix has left
  108. asterix has joined
  109. asterix has left
  110. asterix has joined
  111. bhaveshsgupta has left
  112. bhaveshsgupta has joined
  113. pulkomandy has left
  114. pulkomandy has joined
  115. asterix has left
  116. pulkomandy has left
  117. asterix has joined
  118. ralphm has left
  119. pulkomandy has joined
  120. kikuchiyo has left
  121. asterix has left
  122. asterix has joined
  123. bhaveshsgupta has left
  124. bhaveshsgupta has joined
  125. kikuchiyo has joined
  126. bhaveshsgupta has left
  127. bhaveshsgupta has joined
  128. goffi has left
  129. debacle has joined
  130. asterix has left
  131. asterix has joined
  132. pulkomandy has left
  133. pulkomandy has joined
  134. lovetox hm can you "login" to an existing anonymous account?
  135. lovetox Gajim has the anonymous checkbox, in its login dialog and on the create new account dialog
  136. lovetox so im not sure for what that is
  137. lovetox i always thought anonymous is when i ask the server to give me some throw away jid
  138. lovetox and the jid is gone after i end the session
  139. pep. "lovetox> hm can you "login" to an existing anonymous account?" < that's a server impl. detail no?
  140. pep. I don't think a client can request it
  141. Zash How would you login to an existing account without any credentials?
  142. lovetox yeah makes not much sense
  143. lovetox there is no username specified anywhere in the flow
  144. lovetox so even if i wanted i couldnt tell the server a preferred jid
  145. Zash You can pass something as data tho, but that's probably ignored
  146. strar has left
  147. lovetox no fixed jid is a bit of a problem client impl wise
  148. lovetox this means i cant add a account in a traditional way, as the jid was my account identifier
  149. Zash But that's sorta the case for normal accounts too. The username you enter in SASL doesn't have to be your JID localpart.
  150. lovetox yeah what else can it be?
  151. lovetox and where should i as client get that value
  152. Zash Anything
  153. Zash You get your JID in resource binding
  154. lovetox yeah but looking at IBR
  155. lovetox there is no way the server can communicate a username that is not the localpart of the jid
  156. lovetox it cant say, hey you registerd a@a.at, but your username is lovetox
  157. lovetox but i hear you, its not a must in theory that sasl username == jid
  158. lovetox but i hear you, its not a must in theory that sasl username == localpart
  159. Zash https://xmpp.org/rfcs/rfc6120.html#sasl-rules-username
  160. Zash username == localpart is recommended and the most common I imagine, outside some rare special deployments
  161. Zash Hm, there are some authentication backends for Prosody that use the database of some web forum software, which allows usernames that aren't valid JID nodeparts, so there's some mangling going on there.
  162. strar has joined
  163. lovetox funny IBR does not even return the jid registered
  164. kikuchiyo has left
  165. lovetox so the server could register another localpart and tell me while binding
  166. Zash And the email ecosystem often use the entire email address as username, which makes it a massive pain to use
  167. Zash Does IBR2 fix that?
  168. Zash Hm, https://xmpp.org/extensions/xep-0389.html looks kinda unspecified in that area
  169. Daniel has left
  170. lovetox this also fails at almost any xmpp client
  171. lovetox almost any client specifices a jid and pass field
  172. Zash Sure
  173. lovetox obviously the client can never guess the username from the jid if its not the localpart
  174. Zash True
  175. Daniel has joined
  176. lovetox so it would need to be a username field
  177. pulkomandy has left
  178. lovetox and a second field specifing the server
  179. lovetox in a walled garden the second field would not be needed
  180. lovetox funny that gajim has exactly that UI right now
  181. lovetox which most people feel is a pain
  182. Zash Can you type user@host as username?
  183. lovetox no, because Gajim puts both username and server together afterwards and it would yield an invalid jid
  184. Zash It's probably okay to not support username ≠ localpart deployments, or hide away the connection details for that in some advanced settings section
  185. Zash Gajim Enterprise Edition? 😀
  186. lovetox what really hurts is that the jid is our main key for everything account related
  187. kikuchiyo has joined
  188. lovetox and with anonymous this changes on every connect
  189. lovetox maybe i just make the domain the key for anon accs
  190. lovetox and just allow one anon acc per domain in Gajim
  191. bhaveshsgupta has left
  192. pulkomandy has joined
  193. bhaveshsgupta has joined
  194. bhaveshsgupta has left
  195. bhaveshsgupta has joined
  196. debacle has left
  197. asterix has left
  198. asterix has joined
  199. Daniel has left
  200. pulkomandy has left
  201. Daniel has joined
  202. asterix has left
  203. asterix has joined
  204. asterix has left
  205. asterix has joined
  206. pulkomandy has joined
  207. asterix has left
  208. asterix has joined
  209. asterix has left
  210. asterix has joined
  211. bhaveshsgupta has left
  212. kikuchiyo has left
  213. bhaveshsgupta has joined
  214. sonny has joined
  215. asterix has left
  216. asterix has joined
  217. asterix has left
  218. asterix has joined
  219. pulkomandy has left
  220. pulkomandy has joined
  221. asterix has left
  222. asterix has joined
  223. kikuchiyo has joined
  224. sonny has left
  225. bhaveshsgupta has left
  226. pulkomandy has left
  227. asterix has left
  228. asterix has joined
  229. pulkomandy has joined
  230. kikuchiyo has left
  231. lovetox we dont have any XEP for password resets or?
  232. kikuchiyo has joined
  233. lovetox we should really get IBR2 going
  234. rion has left
  235. Zash Everything2 😀
  236. pep. 0389?
  237. pep. Or a new one?
  238. Zash XMPP2
  239. asterix has left
  240. asterix has joined
  241. asterix has left
  242. asterix has joined
  243. lovetox yes 0389
  244. lovetox though actually 0389 is missing the mutli stage functionality
  245. Zash lovetox, can I interest you in poking Sam or possibly taking over as author? 🙂
  246. lovetox ah i see its a little sentence at the end
  247. lovetox the server MAY send another challenge.
  248. Zash > If the client successfully completes the challenge, the server MAY return an empty <success/> element qualified by the 'urn:xmpp:register:0' namespace, MAY? What else would it do?
  249. lovetox yeah it seems a bit weird, it seems like this is a XEP that is reused by other XEPs
  250. Zash SASL2, IBR2 and .. BIND2?
  251. lovetox and it lacks examples
  252. lovetox and Zash now i know why IBR uses IQ before bind
  253. lovetox because all libs support callbacks on IQ responses, which you dont have with nonzas
  254. Zash Hack 🙁
  255. lovetox so implementing the whole process with nonzas is a bit harder
  256. Zash But they need to for SASL
  257. lovetox at least it would be nice to have ids on these nonzas
  258. lovetox so we can add callbacks for these in the future
  259. Zash I don't see the point. Pre-resource binding shouldn't have more than one thing anyways.
  260. Zash There should be no async or out of order events.
  261. asterix has left
  262. asterix has joined
  263. rion has joined
  264. Zash The point of id attrs are that you can send many requests and the answers can come back in any order.
  265. lovetox hm true
  266. lovetox but the same thing must work in a after-bind situation also
  267. lovetox hm or does it
  268. lovetox ah yes, for the change-password flow
  269. lovetox though this is maybe excluded here
  270. lovetox and should rightfully excluded out of IBR
  271. lovetox as it mixes, pre-bind and after-bind use cases
  272. Zash agree
  273. Zash Hm
  274. lovetox change password should be just a adhoc flow
  275. lovetox there is no need to invent something new here
  276. lovetox adhoc has everything you would ever need for a change password flow
  277. Zash You might need some way to signal that a password change is mandatory tho
  278. lovetox adds too much complexity in my opinion
  279. Zash Like, right after password recovery
  280. lovetox just send a email out to your users
  281. lovetox or a xmpp message with a weblink
  282. lovetox but if you would do this
  283. lovetox this would also be a pre-bind deal for me
  284. lovetox right after auth
  285. lovetox present a must change password flow
  286. Zash was just looking for that in https://xmpp.org/extensions/xep-0388.html
  287. pulkomandy has left
  288. lovetox yeah its under 2.6.3
  289. lovetox so yes SASL2 would support that
  290. Zash Hm
  291. lovetox ok so we have multistage pre-bind ibr with ibr2
  292. Zash If password change can be either required or optional, then an user-initiated password change could be done by logging out and logging in+changing password
  293. lovetox we have pre-bind password changes with sasl2
  294. lovetox leaves a simple xep that has after-bind password changes via adhoc
  295. Zash I wonder if that makes things easier for servers, as you rather want to kill/reset other sessions when the password is changed.
  296. asterix has left
  297. asterix has joined
  298. pulkomandy has joined
  299. lovetox problem is migration
  300. lovetox i was just thinking about 2FA
  301. lovetox but servers could offer both SASL as long as no 2FA is set
  302. lovetox and afterwards only SASL2
  303. Zash Sure
  304. lovetox ah no
  305. lovetox the server does not know the account before SASL :D
  306. lovetox so it cant just leave SASL2 out
  307. Zash Hm
  308. lovetox so you can always make a downgrade attack
  309. lovetox except for server who only support SASL2, which makes migration a pain
  310. Zash Hm, like the problem of upgrading stored hashes to SCRAM-SHA-256 or so
  311. Zash So you can't enable 2FA until everyone supports SASL2
  312. Zash or someting
  313. Zash I started on a SASL2 impl but I don't think it's complete
  314. Zash Would be good to have a client to test with tho
  315. kikuchiyo has left
  316. lovetox its not an attack i misspoke
  317. lovetox after enabling 2FA server has to fail the SASL1 flow obviously
  318. lovetox so no its not that big of a problem i guess
  319. lovetox users just have to be warnded if they activate 2FA they can only connect with clients that support 2FA
  320. lovetox obvious
  321. Zash But it affects everyone on the server
  322. Zash Or does it?
  323. lovetox no, 2FA can be set per account i guess
  324. lovetox could be a simple option in the register flow
  325. Zash So SASL1 would succeed for those
  326. lovetox yes
  327. Zash .. .that hasn't enabledit
  328. Zash I suppose you can make it so that the server doesn't let you enable 2FA from a client that used SASL1
  329. Alex has left
  330. Alex has joined
  331. Zash Then they can't lock themselves out as easily, and there's some incentive to upgrade
  332. lovetox how would you activate 2FA
  333. Zash Dunno
  334. lovetox only via IBR2
  335. lovetox so that must be a client that does support IBR2 but not sasl2
  336. lovetox in normal ibr there is no multistage
  337. lovetox which you need for any 2fa setup
  338. Zash Not being able to upgrade an existing account to 2FA seems like meh tho?
  339. lovetox yeah i guess there needs to be a own xep for that
  340. Zash You'd want to do that in connection to password change or something
  341. Zash XEPlosion!
  342. Zash 😀
  343. lovetox 2FA upgrade can be done again via adhoc
  344. lovetox no need to invent something there
  345. lovetox great
  346. lovetox SASL2 offer a stream feature of <mechanisms/>, qualified by the "urn:xmpp:sasl:1" namespace
  347. lovetox fits
  348. Zash heh
  349. Zash Well if you come up with a reason to bump the namespace, and then never again...
  350. Zash or it could be ...:sasl2:1
  351. pulkomandy has left
  352. pulkomandy has joined
  353. lovetox hm theoretically it should be easy to implement SASL2 in nbxmpp
  354. lovetox as SASL1 is already writte like a plugin
  355. sonny has joined
  356. kikuchiyo has joined
  357. pulkomandy has left
  358. pulkomandy has joined
  359. sonny has left
  360. Daniel has left
  361. Daniel has joined
  362. pulkomandy has left
  363. sonny has joined
  364. Daniel has left
  365. Daniel has joined
  366. pulkomandy has joined
  367. Daniel has left
  368. Daniel has joined
  369. pulkomandy has left
  370. pulkomandy has joined
  371. asterix has left
  372. asterix has joined
  373. kikuchiyo has left
  374. pulkomandy has left
  375. asterix has left
  376. asterix has joined
  377. pulkomandy has joined
  378. aj has joined
  379. sonny has left
  380. kikuchiyo has joined
  381. pulkomandy has left
  382. pulkomandy has joined
  383. pulkomandy has left
  384. pulkomandy has joined
  385. pulkomandy has left
  386. kikuchiyo has left
  387. debacle has joined
  388. kikuchiyo has joined
  389. kikuchiyo has left
  390. Ge0rG has left
  391. kikuchiyo has joined
  392. SouL has left
  393. ralphm has joined
  394. asterix has left
  395. asterix has joined
  396. asterix has left
  397. asterix has joined
  398. asterix has left
  399. asterix has joined
  400. asterix has left
  401. asterix has joined
  402. Alex has left
  403. Alex has joined
  404. asterix has left
  405. asterix has joined
  406. ralphm has left
  407. ralphm has joined
  408. paul has left
  409. pulkomandy has joined
  410. pulkomandy has left
  411. pulkomandy has joined
  412. asterix has left
  413. asterix has joined
  414. asterix has left
  415. pulkomandy has left
  416. pulkomandy has joined
  417. kikuchiyo has left
  418. kikuchiyo has joined
  419. strar has left
  420. strar has joined