XSF Discussion - 2012-05-11

  1. Jef has joined

  2. luca tagliaferri has left

  3. luca tagliaferri has joined

  4. luca tagliaferri has left

  5. Zash has left

  6. Jef has left

  7. Zash has left

  8. Zash has left

  9. stpeter has joined

  10. stpeter

    dwd: does the Board have a meeting soon?

  11. Kev

    30 seconds.

  12. Kev

    According to the ML anyway.

  13. stpeter

    that *is* soon

  14. stpeter

    I'm shocked to be here on time

  15. Ashley has joined

  16. Ashley

    hey y'all

  17. stpeter

    hi Ashley

  18. dwd

    Yes, gosh. Meeting time already.

  19. dwd

    Although we're rather less than quorate.

  20. Kev

    I think bear was expecting to be here?

  21. dwd

    Yes. It was amazingly short notice, really.

  22. stpeter

    dwd: what are the topics for discussion, formal or informal?

  23. dwd

    Well, there's this browserid project.

  24. dwd

    Plus I think Mike and Florian were doing things with book shipping to GSoC students.

  25. dwd

    bear, Hiya.

  26. bear is here

  27. Kev

    I poked bear about that yesterday, he was going to check he had all the addresses for ordering books when he was back at his desk.

  28. Kev

    Ah, and he's here :)

  29. dwd

    Well, that counts us as quorate if we need to decide anything, I think.

  30. bear

    yep - I have the addresses, need to send them to Kev

  31. Kev

    bear: I don't think I need them.

  32. Kev

    The next step was Board deciding whether to send the books, I think.

  33. dwd

    So, stupid question - where are our students, georgaphically?

  34. Kev

    (And then sending them)

  35. bear

    all over the map

  36. dwd

    Kev, I think Board had already decided to send books, actually.

  37. Kev

    Oh, ok.

  38. Ashley

    yeah, that's what i recall as well

  39. Kev

    I remember you saying Bear had to get a price based on where the students were and how much it'd cost to ship.

  40. Kev

    But yay.

  41. stpeter

    we need to make sure that people get reimbursed appropriately this time, too!

  42. dwd

    That, as I recall, was related to a discussion on how to actually ship - basically, not getting all the books shipped to Mike and then him sending them air around the globe, or something.

  43. dwd

    More likely, we use the power of Amazon, or similar, to order the books locally near the students if at all possible.

  44. bear

    Germany, Poland, Brazil

  45. bear

    we never had the books shipped to me - I used Amazon

  46. bear

    and just entered gift addresses

  47. stpeter

    IIRC we used amazon.co.uk for European orders before

  48. bear


  49. dwd

    stpeter, Amazon europe is one big thing, AFAIK, so they'll ship from whichever depot makes sense.

  50. bear

    only the China student caused a small issue, but that was because of how postal codes work, not Amazon.co.uk

  51. bear

    so I will start the ordering tonight and send an email to the list with the details

  52. dwd

    So anyway, this means we can just order the books - anyone want to take responsibility for doing so?

  53. dwd

    Oh. Mike just has. Marvellous.

  54. Kev

    I think bear just has, which is great by me because I don't want to :)

  55. Kev

    Thanks bear.

  56. bear

    I will just need to remember to send peter the receipt this time

  57. dwd

    bear, I don't *think* we need the details beyond the costs to any list.

  58. stpeter

    dwd: agreed

  59. dwd

    bear, In particular, I don't think we want the addresses anywhere near the list.

  60. bear

    the list sending is just my way of asking kev to poke me if he doesn't see it by monday

  61. bear

    oh sure, by nature I'm a privacy nut, so that's a given

  62. dwd


  63. dwd

    So, browserid stuff.

  64. dwd

    stpeter, I've noticed with some alarm that you've not said anything on this, yet - do you have any particular thoughts?

  65. stpeter

    dwd: I thought it was a good idea when we discussed it in Brussels, but I've been pretty distracted for the last few weeks and I haven't made time to focus on it -- I will try to do that this weekend or next week

  66. dwd

    OK, great. I just had a horrible vision of you saying "What on earth are you *thinking*!?", so I'm glad you think it's OK. :-)

  67. stpeter

    dwd: I haven't delved into the technical details, but overall it seems like a good thing

  68. bear

    I think Simon from buddycloud will also be helping (I don't know if they have announced their news yet re: Mozilla)

  69. Kev

    I haven't seen it announced anywhere yet.

  70. bear

    they are probably waiting on Moz then :/

  71. dwd

    Right. I was looking at more technical detail on this, and I think there's some key chunks we can break out.

  72. dwd

    Basically there's a couple of bits of spec (browser->XMPP, and site->browserid), plus the server implementation, plus the browser one.

  73. dwd

    Of these, the bit I think we're going to struggle on is the browser-side implementation - the rest seem well within our areas of expertise, so we should manage to get these done.

  74. stpeter

    dwd: I'm ashamed to admit that I haven't looked into BrowserID much yet, nor have I thought about the XMPP integration with XMPP -- do you have any kind of writeup or blog post that explores it?

  75. dwd

    But obviously the implementation work is somewhat gated on the specs.

  76. stpeter

    er, s/XMPP// there

  77. stpeter is pretty much flat out exhausted this morning

  78. bear

    let's post to the list a meeting request so folks interested can come

  79. dwd

    stpeter, Shockingly, no. But Browserid itself is pretty simple. It's a case of browser gets an "assertion" (ticket) as a credential for a site from the security provider, and the site validates it with a single HTTP request to https://browserid.org/verify

  80. dwd

    bear, Yeah, I thought that last time Florian was going to do that, but I may be mis-remembering, and I might have told him I would organize the meeting.

  81. stpeter

    bear: well, yes

  82. Zash

    I'd describe it as PKI with JSON

  83. dwd

    Zash, It's not even PKI, closer to Kerberos.

  84. stpeter

    it would be good to schedule something a week in advance or somesuch, and preferably have a brief writeup that folks can read (and not just XMPP folks)

  85. Kev

    Two great flavours that taste great together.

  86. dwd

    stpeter, Right. I can probably manage the write-up.

  87. stpeter

    dwd: yes, it does sound like Kerberos or even OAuth -- the same ticket pattern in all three cases

  88. dwd

    stpeter, Right, so in our case what we do need to do is allow multiple verify URIs instead of just one centralized one.

  89. Kev

    So we should just do Kerberos-over-XMPP, then. Simples.

  90. Zash

    The ticket can be validated without asking anyone

  91. dwd

    Zash, Really? Seems like you have to do a POST to the browserid URI.

  92. Zash


  93. stpeter

    do the security providers register with Mozilla somehow?

  94. dwd

    Zash, Actually, I think you're volunteering to help me with the write-up.

  95. stpeter

    and do feel free to tell me to RTFM :)

  96. dwd

    stpeter, No, the browserid model helpfully only provides on security provider.

  97. dwd

    stpeter, Which I think is daft anyway.

  98. Zash

    The browser has a key+certificate signed by the ID provider (browserid.org). To sign in somewhere, it sigs an assertion and sends that to the site, which can either ask the provider to verify it, or disassemble it and check it itself.

  99. stpeter

    as I recall, the browserid.org page basically said "1. Collect Underpants 2. Magic Here 3. Profit"

  100. bear

    it's a bit more than that now :)

  101. bear

    internally mozilla has gone "all in" for browserid - using it for our own tools

  102. dwd

    Zash, The info I can find suggests that a site can't verify the assertion itself.

  103. Zash

    dwd: I'd rather think that's because they don't want to encourage people to write RSA code in PHP

  104. dwd

    Zash, Oh, then again, it actually says "The easiest way to do this". And that's easiest because there's no info on how else one might.

  105. dwd

    Zash, Right - if that's the case we need to figure out whather to continue with that model. But thanks for volunteering to work with me on a write-up.

  106. Zash

    Heh :)

  107. Kev

    I think "Specs welcome" is one up from "Patches welcome".

  108. dwd

    OK - so if we try to schedule another meeting next week sometime, does that work for everyone?

  109. Kev

    And we all know what the latter means...

  110. dwd

    Kev, That patches are welcome?

  111. Kev

    Something like that.

  112. Kev

    It was a FOSDEM joke, you had to be there...

  113. stpeter

    dwd: in order to have enough notice and a short document for folks to read, it might need to be the week after (Monday or Tuesday or whatever)

  114. stpeter

    say, May 22nd?

  115. stpeter

    or the 23rd after the Council meeting?

  116. dwd

    stpeter, Yeah - how about I (and Zash, now) figure out a detailed technical write-up, and then we send that out and schedule the meeting then?

  117. stpeter

    that sounds absolutely super

  118. dwd


  119. dwd

    On that note, then, I think we may be done.

  120. Kev

    Righty. Thanks chaps.

  121. stpeter opens a bunch of tabs about BrowserID

  122. dwd

    bear, You've a contact who "really" knows about BrowserID, right?

  123. bear


  124. stpeter

    that might be helpful :)

  125. bear

    the people who are writing the mozilla stuff

  126. bear

    irc.mozilla.org #identity

  127. dwd

    bear, Oh, OK. If I have a 1980's chat client somewhere I'll go join in.

  128. bear


  129. dwd goes hunting for a vt100

  130. bear

    I can make introductions if you want more of a small meeting type discussion

  131. bear

    Ben Adida is very approachable and he is the gateway to the entire Mozilla Identity (now called Personas) project

  132. dwd

    OK, cool. If I have trouble getting in with the crowd, as it were, I'll give you a shout.

  133. bear


  134. dwd

    Zash, So if I get this right, BrowserID is basically a CA?

  135. Zash


  136. Zash

    There's some spec here https://github.com/mozilla/browserid/blob/dev/docs/PRIMARY_PROTOCOL.md

  137. dwd

    Zash, OK - so the BrowserId thing is basically verifying your email address, and then issuing a cert?

  138. Zash


  139. dwd

    Zash, Which suggests that *that* is the bit we could easily run over XMPP, actually. So do I have to verify my email address on every brwoser I use (laptop, desktop)?

  140. Zash

    I suppose the browser prefs syncing should also sync your keys. The rest is up to the CA, it could (as browserid.org does) issue you a normal password that you log in with.

  141. dwd

    What, for verifying? Or every time?

  142. Zash

    If your device doesn't have a cert, you're supposed to be provisioned one. How the CA determines who you are isn't in the spec afaik.

  143. Zash

    BrowserID.org sends a verification email, then lets you choose a password. Then I suppose you could log in with that password to get a cert on another device.

  144. dwd

    OK, so it's a global CA which has a single password per user.

  145. dwd

    Does it have a single X.500 directory behind it, too?

  146. Zash


  147. Zash

    At least you(r email provider) can run a CA too.

  148. Zash

    Fun, so the current implementation passes arround big numbers in decimal form. The JSON Web * specs says to base64 them.

  149. Zash

    Suddenly, JSON and base64 everywhere!

  150. Ashley has left

  151. Ashley has joined

  152. Jef has joined

  153. stpeter has left

  154. Jef has left

  155. Jef has joined

  156. Jef has left

  157. Neustradamus has left

  158. Ashley has left

  159. Jef has joined

  160. Ashley has joined

  161. Ashley has left

  162. Jef has left

  163. Jef has joined

  164. Jef has left

  165. Jef has joined

  166. Jef has left