jdev - 2020-04-15

Ge0rG 14:16:29
I'm looking for public servers that have: - IBR with a captcha - Redirection from IBR, https://xmpp.org/extensions/xep-0077.html#redirect - IBR and run ejabberd
Martin 14:17:21
Maybe also ask in operators
Ge0rG 14:17:51
Martin: right, thanks
pep. 14:20:39
jonas’, your ToS thing is up for the taking I assume? Talking about IBR
pep. 14:22:03
I'm finally working on opening up my service and that's a requirement to me. (at least if we get things going I know I won't be stuck with http redirects forever)
jonas’ 14:25:13
pep., -v please
pep. 14:25:41
Long ago when we did gdpr stuff you proposed a tos spec
jonas’ 14:25:47
I know
jonas’ 14:25:54
you can invent something better than that, sure
jonas’ 14:25:59
I don’t intend to continue to work on it
pep. 14:26:16
Right that was my question. I might as well reuse the name :P
DebXWoody 15:18:16
I'm going to implement XEP-0373. Just tried to add my JID like xmpp:user@domain.tld. https://xmpp.org/extensions/xep-0373.html#openpgp-user-ids gpg> adduid Ihr Name ("Vorname Nachname"): xmpp:test@domain.tld Email-Adresse: Kommentar: Sie haben diese User-ID gewählt: "xmpp:test@domain.tld" Bitte keine Emailadressen als Namen oder Kommentar verwenden It's not possible, because gpg says: The name look like a email address. --quick-adduid is working.
flow 15:19:22
DebXWoody, that's more of an gpg API issue
DebXWoody 15:19:50
Yes, but it should look like I did?
DebXWoody 15:20:41
Add the xmpp URI as name and keep mail and comment empty.
flow 15:23:23
I haven't verified that gpg will then produce the according rfc4880 subpacket, but it's not unreasonable that it does
flow 15:24:24
IIRC gpg provides a dump command to inspect the rfc4880 structure
flow 15:24:44
~~one potentially want to use that to verify that the result is compliant to xep373~~ ✎
pep. 15:24:57
~~I think I used xmpp URIs in the email or comment field last time I tried~~ ✎
flow 15:24:59
you potentially want to use that to verify that the result is compliant to xep373 ✏
pep. 15:25:50
I think I used xmpp URIs in the email last time I tried ✏
flow 15:26:29
I'd guess either of name or mail address is fine
pep. 15:26:48
flow, hmm, that'S gonna be slightly problematic if gpg doesn't accept it. Assume most implementations will use gpg / gpgme or similar for this :/
flow 15:27:13
pep., well they should use the high level gpg api for taht
flow 15:27:31
besides older gpg versions are known to have a problematic api
flow 15:27:54
mostly because older gpg versions had no api, so gpg APIs where build around the gpg command line interface and parsed the gpp output
flow 15:28:35
every reasonable OpenPGP API lets you create the User ID Packet with an arbitrary string
flow 15:28:50
cause that is what rfc4880 specifies: https://tools.ietf.org/html/rfc4880#section-5.11
pep. 15:29:22
ok
flow 15:30:06
in the example DebXWoody gave, gpg is trying to prevent the user doing something uncommon (assuming the user wants to use gpg as gpg believes it should be used)
flow 15:30:46
they should use the high level gpg api for taht → they should *not* use the high level gpg API for that
lovetox 15:36:50
gpg lets you do this
lovetox 15:36:56
you just have to pass the proper commands
lovetox 15:37:15
there is a command that lets you skip all those checks
lovetox 15:39:50
for example --allow-freeform-uid
lovetox 15:39:58
Disable all checks on the form of the user ID while generating a new one.
flow 15:40:02
lovetox, yep, DebXWoody already mentioned --quick-add-uid
pep. 15:40:14
One wouldn't use gpg directly though right? :/
pep. 15:40:20
I mean gnupg
lovetox 15:40:55
if the command line app will not support something,i think your chances are low that you can do it programmatically
flow 15:42:41
pep., yes, you would want to use an library providing an OpenPGP API
flow 15:42:55
for gnugp there is gpgme, but I can't comment on its suitability nor usability
flow 15:43:05
but there a dozens of alternatives
pep. 15:43:14
dozens?
flow 15:43:17
https://neopg.io/
flow 15:43:26
https://sequoia-pgp.org/
flow 15:43:44
paul's pgpainless (java)
flow 15:44:14
https://www.openpgp.org/software/developer/
lovetox 15:44:33
gpgme is not very advanced
lovetox 15:44:52
i remember when i implemented gpg in gajim, it didnt even had an api for importing a key
lovetox 15:45:03
the python bindings i mean
flow 15:45:23
the situation of python openpgp APIs was not good a few years ago, I hope that changed
lovetox 15:45:40
i think someone worked on the python gpgme bindings
lovetox 15:45:48
and it can do now more but didnt look since a year
pep. 15:46:04
Yeah last time I checked was the berlin sprint last year
pep. 15:46:37
Using the Rust binding of gpgpme. I might use sequoia someday if I tackle this again
flow 15:46:54
sequoia is in very good standing
flow 15:47:08
definetly something to look out for
pep. 15:47:10
It's been a few years I've known about them, just never had the chance
DebXWoody 16:27:53
gpgme is ok: https://codeberg.org/xmpp-messenger/xmppc/src/branch/master/src/mode/pgp.c#L99
DebXWoody 16:43:43
I like the idea of XEP-0373 and 0027 is obsolete. But I don't get why there is https://xmpp.org/extensions/xep-0373.html#synchro-pep within XEP-0373? Is it ok to skip it or is the client in those case not XEP-0373? My key is on a Nitrokey / Smartcard and I would like to use this key for 0373. There is no need to sync the private key and there is also no need to create a new one for me.
flow 16:49:57
DebXWoody, nothing in xep373 mandates that this is mandatory-to-implement
DebXWoody 16:50:18
ok
flow 16:51:01
the xep(s) deliberately keep a degree of freedom here, while sketching a schema that could work to get the average users to use OpenPGP encrypted XMPP messages (without ideally even being aware that she/he does) ✎
flow 16:51:20
the xep(s) deliberately keep a degree of freedom here, while sketching a scheme that could work to get the average users to use OpenPGP encrypted XMPP messages (without ideally even being aware that she/he does) ✏