jdev - 2020-08-01

  1. lovetox

    hm can the new occupant id be used to identify messages from myself in a MUC?

  2. lovetox

    for example from another device of mine?

  3. Zash

    Quite possibly

  4. lovetox

    any server has already a impl for that xep?

  5. Zash

    There's a plugin for Prosody that's deployed in some places.

  6. Zash

    Or so I thought

  7. Zash

    lovetox: Enabled it on conference.prosody.im now if you want to test.

  8. lovetox


  9. lovetox

    Zash and how is that implemented

  10. lovetox

    is it a hash of the full jid?

  11. lovetox

    so the server does not need to store anything?

  12. Zash

    Hash of JID + random value used as salt. The salt needs to be stored, but all the per-JID values can be computed and/or cached.

  13. lovetox

    if it can be computed its not random or?

  14. lovetox

    i dont get why the random value, something like sha256 should be good without anything added or not?

  15. Zash

    The salt is generated once and stored with the room (internal) config

  16. lovetox

    ah ok

  17. lovetox

    so different occupant id per room

  18. Zash

    `HMAC(Bare JID, Room Salt)`

  19. Zash


  20. Zash


  21. lovetox

    why not take the room jid then?

  22. lovetox

    but ok does not matter at this point

  23. lovetox

    i guess room has many settings to be stored

  24. lovetox

    one more does not matter

  25. lovetox

    hm so this means i need to store my occupant id per room

  26. Zash

    I imagine computing it from room jid would make it possible to guess identities.

  27. lovetox

    and fun things happen if the server db is deleted

  28. lovetox

    and suddenly i have a new occupant-id

  29. Zash


  30. lovetox

    i probably should plan for that

  31. lovetox

    so i need to store a list of ids per room

  32. Zash

    https://xmpp.org/extensions/xep-0421.html#id-generation > a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service.

  33. Zash

    Some way to know that the salt got reset could be good

  34. lovetox

    you know when you get a new occupant id on join

  35. Zash


  36. Zash

    And then all previous ids would be invalidated

  37. lovetox

    but i dont know if it was worth the added complexity

  38. Zash


  39. lovetox

    sha(user jid + roomjid) should be secure enough for this use case

  40. lovetox

    i can deal with my own id

  41. lovetox

    but if the goal was to recognize other people, this is really propblematic

  42. lovetox

    but if the goal was to recognize other people, this is really problematic

  43. eta

    lovetox: but then you can figure out whether a known jid is in the room

  44. lovetox

    true eta, didnt think about that

  45. Zash

    lovetox: What do you intend to use it for?

  46. lovetox

    Zash, im not sure yet, but this already tells me it can’t be anythin too serious

  47. lovetox

    my first idea was

  48. lovetox

    show last nicknames of a user

  49. lovetox

    and to be fair, server db reset is probably a major event, all rooms would be gone etc

  50. Zash

    I thought the main use case was having last message correction work from MAM, ie letting you know that the user doing a correction was the same as the one sending the original message

  51. lovetox

    does not happen too often probably

  52. lovetox

    Zash, a yes good usecase

  53. lovetox

    and it would not be bad if the occupant id changes

  54. Zash

    Hopefully it won't change just as someone corrects a typo...

  55. lovetox

    even if, the impact is not really big

  56. lovetox

    so one correction does not work, nothing a user will lose sleep over

  57. Zash

    Better than what happens now :)

  58. Zash

    And if your chat view has avatars then you could show the correct ones for historical messages.

  59. lovetox

    i could use the avatar hash as occupant id :D

  60. lovetox

    not a very good one though