XSF Discussion - 2012-05-11

  1. stpeter

    dwd: does the Board have a meeting soon?

  2. Kev

    30 seconds.

  3. Kev

    According to the ML anyway.

  4. stpeter

    that *is* soon

  5. stpeter

    I'm shocked to be here on time

  6. Ashley

    hey y'all

  7. stpeter

    hi Ashley

  8. dwd

    Yes, gosh. Meeting time already.

  9. dwd

    Although we're rather less than quorate.

  10. Kev

    I think bear was expecting to be here?

  11. dwd

    Yes. It was amazingly short notice, really.

  12. stpeter

    dwd: what are the topics for discussion, formal or informal?

  13. dwd

    Well, there's this browserid project.

  14. dwd

    Plus I think Mike and Florian were doing things with book shipping to GSoC students.

  15. dwd

    bear, Hiya.

  16. bear is here

  17. Kev

    I poked bear about that yesterday, he was going to check he had all the addresses for ordering books when he was back at his desk.

  18. Kev

    Ah, and he's here :)

  19. dwd

    Well, that counts us as quorate if we need to decide anything, I think.

  20. bear

    yep - I have the addresses, need to send them to Kev

  21. Kev

    bear: I don't think I need them.

  22. Kev

    The next step was Board deciding whether to send the books, I think.

  23. dwd

    So, stupid question - where are our students, georgaphically?

  24. Kev

    (And then sending them)

  25. bear

    all over the map

  26. dwd

    Kev, I think Board had already decided to send books, actually.

  27. Kev

    Oh, ok.

  28. Ashley

    yeah, that's what i recall as well

  29. Kev

    I remember you saying Bear had to get a price based on where the students were and how much it'd cost to ship.

  30. Kev

    But yay.

  31. stpeter

    we need to make sure that people get reimbursed appropriately this time, too!

  32. dwd

    That, as I recall, was related to a discussion on how to actually ship - basically, not getting all the books shipped to Mike and then him sending them air around the globe, or something.

  33. dwd

    More likely, we use the power of Amazon, or similar, to order the books locally near the students if at all possible.

  34. bear

    Germany, Poland, Brazil

  35. bear

    we never had the books shipped to me - I used Amazon

  36. bear

    and just entered gift addresses

  37. stpeter

    IIRC we used amazon.co.uk for European orders before

  38. bear


  39. dwd

    stpeter, Amazon europe is one big thing, AFAIK, so they'll ship from whichever depot makes sense.

  40. bear

    only the China student caused a small issue, but that was because of how postal codes work, not Amazon.co.uk

  41. bear

    so I will start the ordering tonight and send an email to the list with the details

  42. dwd

    So anyway, this means we can just order the books - anyone want to take responsibility for doing so?

  43. dwd

    Oh. Mike just has. Marvellous.

  44. Kev

    I think bear just has, which is great by me because I don't want to :)

  45. Kev

    Thanks bear.

  46. bear

    I will just need to remember to send peter the receipt this time

  47. dwd

    bear, I don't *think* we need the details beyond the costs to any list.

  48. stpeter

    dwd: agreed

  49. dwd

    bear, In particular, I don't think we want the addresses anywhere near the list.

  50. bear

    the list sending is just my way of asking kev to poke me if he doesn't see it by monday

  51. bear

    oh sure, by nature I'm a privacy nut, so that's a given

  52. dwd


  53. dwd

    So, browserid stuff.

  54. dwd

    stpeter, I've noticed with some alarm that you've not said anything on this, yet - do you have any particular thoughts?

  55. stpeter

    dwd: I thought it was a good idea when we discussed it in Brussels, but I've been pretty distracted for the last few weeks and I haven't made time to focus on it -- I will try to do that this weekend or next week

  56. dwd

    OK, great. I just had a horrible vision of you saying "What on earth are you *thinking*!?", so I'm glad you think it's OK. :-)

  57. stpeter

    dwd: I haven't delved into the technical details, but overall it seems like a good thing

  58. bear

    I think Simon from buddycloud will also be helping (I don't know if they have announced their news yet re: Mozilla)

  59. Kev

    I haven't seen it announced anywhere yet.

  60. bear

    they are probably waiting on Moz then :/

  61. dwd

    Right. I was looking at more technical detail on this, and I think there's some key chunks we can break out.

  62. dwd

    Basically there's a couple of bits of spec (browser->XMPP, and site->browserid), plus the server implementation, plus the browser one.

  63. dwd

    Of these, the bit I think we're going to struggle on is the browser-side implementation - the rest seem well within our areas of expertise, so we should manage to get these done.

  64. stpeter

    dwd: I'm ashamed to admit that I haven't looked into BrowserID much yet, nor have I thought about the XMPP integration with XMPP -- do you have any kind of writeup or blog post that explores it?

  65. dwd

    But obviously the implementation work is somewhat gated on the specs.

  66. stpeter

    er, s/XMPP// there

  67. stpeter is pretty much flat out exhausted this morning

  68. bear

    let's post to the list a meeting request so folks interested can come

  69. dwd

    stpeter, Shockingly, no. But Browserid itself is pretty simple. It's a case of browser gets an "assertion" (ticket) as a credential for a site from the security provider, and the site validates it with a single HTTP request to https://browserid.org/verify

  70. dwd

    bear, Yeah, I thought that last time Florian was going to do that, but I may be mis-remembering, and I might have told him I would organize the meeting.

  71. stpeter

    bear: well, yes

  72. Zash

    I'd describe it as PKI with JSON

  73. dwd

    Zash, It's not even PKI, closer to Kerberos.

  74. stpeter

    it would be good to schedule something a week in advance or somesuch, and preferably have a brief writeup that folks can read (and not just XMPP folks)

  75. Kev

    Two great flavours that taste great together.

  76. dwd

    stpeter, Right. I can probably manage the write-up.

  77. stpeter

    dwd: yes, it does sound like Kerberos or even OAuth -- the same ticket pattern in all three cases

  78. dwd

    stpeter, Right, so in our case what we do need to do is allow multiple verify URIs instead of just one centralized one.

  79. Kev

    So we should just do Kerberos-over-XMPP, then. Simples.

  80. Zash

    The ticket can be validated without asking anyone

  81. dwd

    Zash, Really? Seems like you have to do a POST to the browserid URI.

  82. Zash


  83. stpeter

    do the security providers register with Mozilla somehow?

  84. dwd

    Zash, Actually, I think you're volunteering to help me with the write-up.

  85. stpeter

    and do feel free to tell me to RTFM :)

  86. dwd

    stpeter, No, the browserid model helpfully only provides on security provider.

  87. dwd

    stpeter, Which I think is daft anyway.

  88. Zash

    The browser has a key+certificate signed by the ID provider (browserid.org). To sign in somewhere, it sigs an assertion and sends that to the site, which can either ask the provider to verify it, or disassemble it and check it itself.

  89. stpeter

    as I recall, the browserid.org page basically said "1. Collect Underpants 2. Magic Here 3. Profit"

  90. bear

    it's a bit more than that now :)

  91. bear

    internally mozilla has gone "all in" for browserid - using it for our own tools

  92. dwd

    Zash, The info I can find suggests that a site can't verify the assertion itself.

  93. Zash

    dwd: I'd rather think that's because they don't want to encourage people to write RSA code in PHP

  94. dwd

    Zash, Oh, then again, it actually says "The easiest way to do this". And that's easiest because there's no info on how else one might.

  95. dwd

    Zash, Right - if that's the case we need to figure out whather to continue with that model. But thanks for volunteering to work with me on a write-up.

  96. Zash

    Heh :)

  97. Kev

    I think "Specs welcome" is one up from "Patches welcome".

  98. dwd

    OK - so if we try to schedule another meeting next week sometime, does that work for everyone?

  99. Kev

    And we all know what the latter means...

  100. dwd

    Kev, That patches are welcome?

  101. Kev

    Something like that.

  102. Kev

    It was a FOSDEM joke, you had to be there...

  103. stpeter

    dwd: in order to have enough notice and a short document for folks to read, it might need to be the week after (Monday or Tuesday or whatever)

  104. stpeter

    say, May 22nd?

  105. stpeter

    or the 23rd after the Council meeting?

  106. dwd

    stpeter, Yeah - how about I (and Zash, now) figure out a detailed technical write-up, and then we send that out and schedule the meeting then?

  107. stpeter

    that sounds absolutely super

  108. dwd


  109. dwd

    On that note, then, I think we may be done.

  110. Kev

    Righty. Thanks chaps.

  111. stpeter opens a bunch of tabs about BrowserID

  112. dwd

    bear, You've a contact who "really" knows about BrowserID, right?

  113. bear


  114. stpeter

    that might be helpful :)

  115. bear

    the people who are writing the mozilla stuff

  116. bear

    irc.mozilla.org #identity

  117. dwd

    bear, Oh, OK. If I have a 1980's chat client somewhere I'll go join in.

  118. bear


  119. dwd goes hunting for a vt100

  120. bear

    I can make introductions if you want more of a small meeting type discussion

  121. bear

    Ben Adida is very approachable and he is the gateway to the entire Mozilla Identity (now called Personas) project

  122. dwd

    OK, cool. If I have trouble getting in with the crowd, as it were, I'll give you a shout.

  123. bear


  124. dwd

    Zash, So if I get this right, BrowserID is basically a CA?

  125. Zash


  126. Zash

    There's some spec here https://github.com/mozilla/browserid/blob/dev/docs/PRIMARY_PROTOCOL.md

  127. dwd

    Zash, OK - so the BrowserId thing is basically verifying your email address, and then issuing a cert?

  128. Zash


  129. dwd

    Zash, Which suggests that *that* is the bit we could easily run over XMPP, actually. So do I have to verify my email address on every brwoser I use (laptop, desktop)?

  130. Zash

    I suppose the browser prefs syncing should also sync your keys. The rest is up to the CA, it could (as browserid.org does) issue you a normal password that you log in with.

  131. dwd

    What, for verifying? Or every time?

  132. Zash

    If your device doesn't have a cert, you're supposed to be provisioned one. How the CA determines who you are isn't in the spec afaik.

  133. Zash

    BrowserID.org sends a verification email, then lets you choose a password. Then I suppose you could log in with that password to get a cert on another device.

  134. dwd

    OK, so it's a global CA which has a single password per user.

  135. dwd

    Does it have a single X.500 directory behind it, too?

  136. Zash


  137. Zash

    At least you(r email provider) can run a CA too.

  138. Zash

    Fun, so the current implementation passes arround big numbers in decimal form. The JSON Web * specs says to base64 them.

  139. Zash

    Suddenly, JSON and base64 everywhere!