jdev - 2024-02-19


  1. Schimon

    Interfaces such as ad-hoc and data forms are subjected to OMEMO, yes?

  2. Schimon

    I mean, the interaction with ad-hoc and data forms is possible with OMEMO, yes?

  3. singpolyma

    not with omemo1

  4. singpolyma

    in theory with twomemo it could be, but there are no implementations of that

  5. singpolyma

    (of data forms + twomemo I mean)

  6. Wirlaburla

    So don't ask for passwords over forms, got it.

  7. singpolyma

    generally one should avoid transmitting passwords, even encrypted. but yes ;)

  8. Zash

    or even avoid passwords alltogether!

  9. Wirlaburla

    Is there a XEP for bio-authentication yet?

  10. Zash

    No, tho I'd expect authentication stuff to happen in the IETF, not XSF

  11. debacle

    gateways to "legacy" networks (IRC, Matrix, etc.) typically are configured via forms, incl. passwords

  12. debacle

    biboumi, slidge

  13. moparisthebest

    > Is there a XEP for bio-authentication yet? Wirlaburla: literally a terrible idea, auth that can easily be stolen/compromised/faked and that is impossible to change? No thx

  14. Wirlaburla

    It was a joke.

  15. moparisthebest

    Some people don't think so :)

  16. Wirlaburla

    I'm not an absolute idiot so I know better.

  17. lovetox

    is POSH still the recommended solution for the whole xmpp hosting service business?

  18. lovetox

    like when i cant point my A and AAAA records to the hosting service, what are the alternatives

  19. singpolyma

    Use DNS01 challenge

  20. Zash

    I assume the context is whether to re-implement support in Gajim?

  21. Zash

    In practice imagine it's easier to just point a subdomain to the hosting service and live with me@chat.example.org instead of @example.org

  22. singpolyma

    Zash: that's not really an acceptable solution long term though

  23. Zash

    Maybe ask Daniel or Holger for stats?

  24. Zash

    Anyway, personally I don't like POSH. The use of JWK seems meh and pinning the full certificate is even more meh, as the hosting provider can't rotate certs easily if all the users have some self-signed cert pinned. And maybe because as a server developer it irks me to have seen exactly zero correct deployments of it for s2s. All rely on Dialback.

  25. Zash

    MattJ and I discussed some simplified form where you just put the expected hostname in a plain text file somewhere secure and then rely on PKIX as usual but with that name instead.

  26. Zash

    singpolyma, I'd accept DANE as a long term solution ;)

  27. moparisthebest

    > is POSH still the recommended solution for the whole xmpp hosting service business? lovetox: POSH or DANE or host-meta-2 but don't expect any to be widely implemented in the wild

  28. moparisthebest

    Obviously as per what host-meta-2 says I'd like the second 2 to be widely implemented soon(tm) ;)

  29. lovetox

    host meta lets you pin certs?

  30. Zash

    Conversations does POSH and it's The Most Popular client, so it may qualify as Widely Implemented® :P

  31. singpolyma

    > singpolyma, I'd accept DANE as a long term solution ;) Sure, yes. But a hosting service doesn't need this as much anymore with letsencrypt and dns01. But yes of course pushing towards universal DANE s2s support is a goal

  32. Zash

    STAR certs is another thing to keep an eye on IIRC

  33. Zash

    Related https://github.com/snikket-im/snikket-server/issues/60

  34. singpolyma

    Snikket is an extra special case because MattJ wants anything easy for the hosting service do be easy for self hosters. Which is doable but more work. Getting it going for a hosting service along is much less effort

  35. singpolyma

    Snikket is an extra special case because MattJ wants anything easy for the hosting service to be easy for self hosters. Which is doable but more work. Getting it going for a hosting service along is much less effort

  36. singpolyma

    Snikket is an extra special case because MattJ wants anything easy for the hosting service to be easy for self hosters. Which is doable but more work. Getting it going for a hosting service alone is much less effort

  37. Zash

    > Use DNS01 challenge One could also set up some proxy shenanigans to forward http-01 challenges.

  38. singpolyma

    Yes, so long as you control the http like a self hoster. But for a hosting service where the customer wants their web with any random other provider the proxy solution gets pretty hard whereas dns01 is a single cname to add

  39. Zash

    Ah, right, yeah.

  40. moparisthebest

    > host meta lets you pin certs? lovetox: pin public keys, which is what you actually want, because they don't have to change unlike certs