-
Sam
Thanks; I got curious and gave it a shot so I want to steal your tests and also see if you're doing anything XML-wise that I don't know about and need to fix
-
moparisthebest
Sam, is your implementation public? I'm equally curious :)
-
Sam
I'll push it up somewhere
-
Sam
moparisthebest: https://pkg.go.dev/mellium.im/xml
-
Sam
It's a bit different from yours, right now it only splits a byte stream on possible XML tokens. It may split out things that are invalid, but I don't believe it will ever split something that should be valid incorrectly. Later maybe I'll add a higher level thing that actually parses tokens, expands self-closing tags, etc.
-
Sam
Although I should also say that I wouldn't use this as the basis for the actual parser probably. You wouldn't want a parser to consume a giant chunk of text where right at the beginning it could have realized it was invalid, you'd want to error as soon as possible, so it would copy some of the splitters work but not use it exactly because the parser can error, the splitter can't.
-
lovetox
hm i just read an article on hackernews, and in a comment someone mentioned this protocol for contact discovery
-
lovetox
https://contact-discovery.github.io/
-
lovetox
which the authors claim is privacy friendly and scaleable
-
lovetox
i guess only phone clients care about that
-
Zash
From the prominence and frequency of the word 'mobile', sure sounds like it'll be about phone numbers, yeah.
-
Zash
Probably way harder if you include other identifiers.
-
mathieui
the protocols they propose do not seem to be linked to phone numbers though
-
mathieui
from a quick look, it’s bloom filters with crypto sprinkled on top, which is nice for the purpose of not sending your address book to the server, and also the enumeration attacks they found
-
mathieui
not really much help for discovery in a federated setting as far as I understand it
-
Zash
Not the same problem I guess
-
mathieui
(both client and server need to know the phone numbers of the dataset)
-
Zash
Wasn't there cryptomagic that let you query an encrypted database? I definitely saw a video presentation about that once.
-
mathieui
I mean, it *can* be useful if implemented to find contacts on a server, by e.g. querying phone numbers or emails against whatever is in the vcard
-
mathieui
but I don’t see it going much further than this
-
Zash
As in, no federation?
-
Zash
So the solution is to centralize it, like Matrix with their Identity Server stuff.
-
Zash
Not totally unlike the Quicksy directory
-
mathieui
Zash, well, except worse
-
mathieui
that’s "Private Set Intersection", what you get as a result, is "which elements are in both of these sets"
-
mathieui
that does not help you resolve a JID from another element
-
mathieui
(but I like the idea though, did not know about it)
-
mathieui
(I would happy to be proven wrong about the uses for xmpp contact discovery, I’m not a cryptographer :p)
-
Zash
What if...
-
Zash
You do that, but p2p
-
mathieui
Error: not enough information
-
Zash
As in, ask your contacts if they have the JIDs of anyone in your phonebook
-
Zash
Assuming PSI lets you do that without leaking
-
mathieui
that could work
-
mathieui
it does not leak info, as far as I can tell
-
pulkomandy
I'm more confortable sending my contact list to Google or some other supposedly big evil company than sending them to all my contacts
-
mathieui
but there needs to be a negociation and quite a bit of computation involved
-
mathieui
pulkomandy, the contact does not know your contact list :p
-
mathieui
that is kind of the point
-
Zash
Tho they would, by necessity, get the intersection of the contact lists?
-
mathieui
I believe they do not know what is in the intersection as well, but I would need to read one more paper for that
-
Zash
Hm, is it useful then?
-
mathieui
ah, apparently they do know about the intersection
-
mathieui
which is obviously a big no for p2p then
-
Zash
obviously?
-
Zash
Is "hey can you give me the JIDs of our mutual contacts" a bad thing?
-
mathieui
well, it leaks your social graph, which is not necessarily what people would want to share
-
mathieui
even with contacts
-
pulkomandy
especially with contacts I'd say?
-
mathieui
pulkomandy, I tend to appreciate my contacts :p
-
Zash
Eh, can't think of anything better than the stuff Snikket is doing then.
-
pulkomandy
but not everyone has an easy life like that :) good for you if you can
-
mathieui
also you still have the issue of "the numbers matched, here are the JIDs", and the JID part is not cryptographically secure so anyone could like
-
mathieui
send whatever JID
-
mathieui
(if some contacts matches)
-
mathieui
which is yet another attack
-
Zash
Eh, just put your JID in your $socialnetwork profile and call it a day.
-
pulkomandy
yes, I think I'm going to stay at "automatically discovering contacts is bad for your privacy or that of your contacts and it's better to not do it"
-
mathieui
pulkomandy, well, the privacy solution would be to have one address book per "mobile application of the week" + this PSI protocol
-
mathieui
(for centralized messengers of course)
-
Zash
Where's the optimal balance between uploading your phonebook to the cloud, and staring at an empty contact list?
-
mathieui
Zash, potato farming
-
Zash
true fact
-
MattJ
Any scheme you come up with has to defend against an actor claiming to have every phone number in their address book
-
MattJ
Because if they do that, they get all registered JIDs
-
MattJ
A centralized service can add limits, a decentralized one typically can't
-
Zash
Snikket Circle stuff FTW
-
jonas’
I hear the limits worked really well for signal
-
MattJ
Snikket FTW
-
jonas’
+1
-
jonas’
(say all the folks involved with snikket)
-
MattJ
:)
-
Zash
NO BIAS, I PROMISE!
-
MattJ
Invites and JID sharing are a more polite way of doing the same thing as automatic contact discovery anyway
-
mathieui
yes.
-
jonas’
and a more manual, to be fair
-
mathieui
It is ethically better but still a higher level of entry
-
mathieui
MattJ, I haven’t looked at that stuff too much, but is there a way to reply to an invite with "I already have an account at ***@example.com, I am adding you now" in some kind of protocol-y way?
-
Zash
Well if you wanna do the dark engagement and addiction building things...
-
mathieui
that’s probably not a very common use case
-
jonas’
mathieui, it won’t work with circles at least
-
jonas’
as those don’t federate well at this time
-
jonas’
I don’t have a good idea how to span circles across services yet
-
Zash
There's that pre-authed contact invites with optional IBR support
-
MattJ
mathieui: yes, the invite token has two dimensions - one is to register an account, the other is a preauthed roster subscription
-
jonas’
yep, that one exists, but it doesn’t support circles.
-
MattJ
That's fine, circles are for users within a single service
-
jonas’
mmhm
-
MattJ
Maybe we can change that one day, but they're not everything
-
jonas’
yes
-
jonas’
I’d like to be able to span them, but they’re already really good as is
-
pulkomandy
let's just offer new XMPP users a set of business cards with their JID on it (and a qrcode or something) then they can choose who they share it with? sometimes low-tech solutions are good
-
pulkomandy
(or maybe qrcode isn't lowtech. but fitting a JID in a barcode is hard)
-
Zash
We had those "Hello, my JID is" stickers....
-
Sam
Reminder that tomorrow is the XMPP Office Hours! This week I'm giving an intro to XMPP for new XMPP developers. However, if you're an experienced dev I'd love feedback! https://wiki.xmpp.org/web/XMPP_Office_Hours
-
Sam
wow, that's a lot of messaging clients: https://wiki.archlinux.org/index.php/List_of_applications#Instant_messaging_clients