XSF Discussion - 2012-05-11

  1. Jef has joined
  2. luca tagliaferri has left
  3. luca tagliaferri has joined
  4. luca tagliaferri has left
  5. Zash has left
  6. Jef has left
  7. Zash has left
  8. Zash has left
  9. stpeter has joined
  10. stpeter dwd: does the Board have a meeting soon?
  11. Kev 30 seconds.
  12. Kev According to the ML anyway.
  13. stpeter that *is* soon
  14. stpeter I'm shocked to be here on time
  15. Ashley has joined
  16. Ashley hey y'all
  17. stpeter hi Ashley
  18. dwd Yes, gosh. Meeting time already.
  19. dwd Although we're rather less than quorate.
  20. Kev I think bear was expecting to be here?
  21. dwd Yes. It was amazingly short notice, really.
  22. stpeter dwd: what are the topics for discussion, formal or informal?
  23. dwd Well, there's this browserid project.
  24. dwd Plus I think Mike and Florian were doing things with book shipping to GSoC students.
  25. dwd bear, Hiya.
  26. bear is here
  27. Kev I poked bear about that yesterday, he was going to check he had all the addresses for ordering books when he was back at his desk.
  28. Kev Ah, and he's here :)
  29. dwd Well, that counts us as quorate if we need to decide anything, I think.
  30. bear yep - I have the addresses, need to send them to Kev
  31. Kev bear: I don't think I need them.
  32. Kev The next step was Board deciding whether to send the books, I think.
  33. dwd So, stupid question - where are our students, georgaphically?
  34. Kev (And then sending them)
  35. bear all over the map
  36. dwd Kev, I think Board had already decided to send books, actually.
  37. Kev Oh, ok.
  38. Ashley yeah, that's what i recall as well
  39. Kev I remember you saying Bear had to get a price based on where the students were and how much it'd cost to ship.
  40. Kev But yay.
  41. stpeter we need to make sure that people get reimbursed appropriately this time, too!
  42. dwd That, as I recall, was related to a discussion on how to actually ship - basically, not getting all the books shipped to Mike and then him sending them air around the globe, or something.
  43. dwd More likely, we use the power of Amazon, or similar, to order the books locally near the students if at all possible.
  44. bear Germany, Poland, Brazil
  45. bear we never had the books shipped to me - I used Amazon
  46. bear and just entered gift addresses
  47. stpeter IIRC we used amazon.co.uk for European orders before
  48. bear yes
  49. dwd stpeter, Amazon europe is one big thing, AFAIK, so they'll ship from whichever depot makes sense.
  50. bear only the China student caused a small issue, but that was because of how postal codes work, not Amazon.co.uk
  51. bear so I will start the ordering tonight and send an email to the list with the details
  52. dwd So anyway, this means we can just order the books - anyone want to take responsibility for doing so?
  53. dwd Oh. Mike just has. Marvellous.
  54. Kev I think bear just has, which is great by me because I don't want to :)
  55. Kev Thanks bear.
  56. bear I will just need to remember to send peter the receipt this time
  57. dwd bear, I don't *think* we need the details beyond the costs to any list.
  58. stpeter dwd: agreed
  59. dwd bear, In particular, I don't think we want the addresses anywhere near the list.
  60. bear the list sending is just my way of asking kev to poke me if he doesn't see it by monday
  61. bear oh sure, by nature I'm a privacy nut, so that's a given
  62. dwd OK.
  63. dwd So, browserid stuff.
  64. dwd stpeter, I've noticed with some alarm that you've not said anything on this, yet - do you have any particular thoughts?
  65. stpeter dwd: I thought it was a good idea when we discussed it in Brussels, but I've been pretty distracted for the last few weeks and I haven't made time to focus on it -- I will try to do that this weekend or next week
  66. dwd OK, great. I just had a horrible vision of you saying "What on earth are you *thinking*!?", so I'm glad you think it's OK. :-)
  67. stpeter dwd: I haven't delved into the technical details, but overall it seems like a good thing
  68. bear I think Simon from buddycloud will also be helping (I don't know if they have announced their news yet re: Mozilla)
  69. Kev I haven't seen it announced anywhere yet.
  70. bear they are probably waiting on Moz then :/
  71. dwd Right. I was looking at more technical detail on this, and I think there's some key chunks we can break out.
  72. dwd Basically there's a couple of bits of spec (browser->XMPP, and site->browserid), plus the server implementation, plus the browser one.
  73. dwd Of these, the bit I think we're going to struggle on is the browser-side implementation - the rest seem well within our areas of expertise, so we should manage to get these done.
  74. stpeter dwd: I'm ashamed to admit that I haven't looked into BrowserID much yet, nor have I thought about the XMPP integration with XMPP -- do you have any kind of writeup or blog post that explores it?
  75. dwd But obviously the implementation work is somewhat gated on the specs.
  76. stpeter er, s/XMPP// there
  77. stpeter is pretty much flat out exhausted this morning
  78. bear let's post to the list a meeting request so folks interested can come
  79. dwd stpeter, Shockingly, no. But Browserid itself is pretty simple. It's a case of browser gets an "assertion" (ticket) as a credential for a site from the security provider, and the site validates it with a single HTTP request to https://browserid.org/verify
  80. dwd bear, Yeah, I thought that last time Florian was going to do that, but I may be mis-remembering, and I might have told him I would organize the meeting.
  81. stpeter bear: well, yes
  82. Zash I'd describe it as PKI with JSON
  83. dwd Zash, It's not even PKI, closer to Kerberos.
  84. stpeter it would be good to schedule something a week in advance or somesuch, and preferably have a brief writeup that folks can read (and not just XMPP folks)
  85. Kev Two great flavours that taste great together.
  86. dwd stpeter, Right. I can probably manage the write-up.
  87. stpeter dwd: yes, it does sound like Kerberos or even OAuth -- the same ticket pattern in all three cases
  88. dwd stpeter, Right, so in our case what we do need to do is allow multiple verify URIs instead of just one centralized one.
  89. Kev So we should just do Kerberos-over-XMPP, then. Simples.
  90. Zash The ticket can be validated without asking anyone
  91. dwd Zash, Really? Seems like you have to do a POST to the browserid URI.
  92. Zash s/ticket/assertion/
  93. stpeter do the security providers register with Mozilla somehow?
  94. dwd Zash, Actually, I think you're volunteering to help me with the write-up.
  95. stpeter and do feel free to tell me to RTFM :)
  96. dwd stpeter, No, the browserid model helpfully only provides on security provider.
  97. dwd stpeter, Which I think is daft anyway.
  98. Zash The browser has a key+certificate signed by the ID provider (browserid.org). To sign in somewhere, it sigs an assertion and sends that to the site, which can either ask the provider to verify it, or disassemble it and check it itself.
  99. stpeter as I recall, the browserid.org page basically said "1. Collect Underpants 2. Magic Here 3. Profit"
  100. bear it's a bit more than that now :)
  101. bear internally mozilla has gone "all in" for browserid - using it for our own tools
  102. dwd Zash, The info I can find suggests that a site can't verify the assertion itself.
  103. Zash dwd: I'd rather think that's because they don't want to encourage people to write RSA code in PHP
  104. dwd Zash, Oh, then again, it actually says "The easiest way to do this". And that's easiest because there's no info on how else one might.
  105. dwd Zash, Right - if that's the case we need to figure out whather to continue with that model. But thanks for volunteering to work with me on a write-up.
  106. Zash Heh :)
  107. Kev I think "Specs welcome" is one up from "Patches welcome".
  108. dwd OK - so if we try to schedule another meeting next week sometime, does that work for everyone?
  109. Kev And we all know what the latter means...
  110. dwd Kev, That patches are welcome?
  111. Kev Something like that.
  112. Kev It was a FOSDEM joke, you had to be there...
  113. stpeter dwd: in order to have enough notice and a short document for folks to read, it might need to be the week after (Monday or Tuesday or whatever)
  114. stpeter say, May 22nd?
  115. stpeter or the 23rd after the Council meeting?
  116. dwd stpeter, Yeah - how about I (and Zash, now) figure out a detailed technical write-up, and then we send that out and schedule the meeting then?
  117. stpeter that sounds absolutely super
  118. dwd Righty.
  119. dwd On that note, then, I think we may be done.
  120. Kev Righty. Thanks chaps.
  121. stpeter opens a bunch of tabs about BrowserID
  122. dwd bear, You've a contact who "really" knows about BrowserID, right?
  123. bear yes
  124. stpeter that might be helpful :)
  125. bear the people who are writing the mozilla stuff
  126. bear irc.mozilla.org #identity
  127. dwd bear, Oh, OK. If I have a 1980's chat client somewhere I'll go join in.
  128. bear :)
  129. dwd goes hunting for a vt100
  130. bear I can make introductions if you want more of a small meeting type discussion
  131. bear Ben Adida is very approachable and he is the gateway to the entire Mozilla Identity (now called Personas) project
  132. dwd OK, cool. If I have trouble getting in with the crowd, as it were, I'll give you a shout.
  133. bear k
  134. dwd Zash, So if I get this right, BrowserID is basically a CA?
  135. Zash Yes
  136. Zash There's some spec here https://github.com/mozilla/browserid/blob/dev/docs/PRIMARY_PROTOCOL.md
  137. dwd Zash, OK - so the BrowserId thing is basically verifying your email address, and then issuing a cert?
  138. Zash Yes.
  139. dwd Zash, Which suggests that *that* is the bit we could easily run over XMPP, actually. So do I have to verify my email address on every brwoser I use (laptop, desktop)?
  140. Zash I suppose the browser prefs syncing should also sync your keys. The rest is up to the CA, it could (as browserid.org does) issue you a normal password that you log in with.
  141. dwd What, for verifying? Or every time?
  142. Zash If your device doesn't have a cert, you're supposed to be provisioned one. How the CA determines who you are isn't in the spec afaik.
  143. Zash BrowserID.org sends a verification email, then lets you choose a password. Then I suppose you could log in with that password to get a cert on another device.
  144. dwd OK, so it's a global CA which has a single password per user.
  145. dwd Does it have a single X.500 directory behind it, too?
  146. Zash Heh
  147. Zash At least you(r email provider) can run a CA too.
  148. Zash Fun, so the current implementation passes arround big numbers in decimal form. The JSON Web * specs says to base64 them.
  149. Zash Suddenly, JSON and base64 everywhere!
  150. Ashley has left
  151. Ashley has joined
  152. Jef has joined
  153. stpeter has left
  154. Jef has left
  155. Jef has joined
  156. Jef has left
  157. Neustradamus has left
  158. Ashley has left
  159. Jef has joined
  160. Ashley has joined
  161. Ashley has left
  162. Jef has left
  163. Jef has joined
  164. Jef has left
  165. Jef has joined
  166. Jef has left