stpeterdwd: what are the topics for discussion, formal or informal?
dwdWell, there's this browserid project.
dwdPlus I think Mike and Florian were doing things with book shipping to GSoC students.
dwdbear, Hiya.
bearis here
KevI poked bear about that yesterday, he was going to check he had all the addresses for ordering books when he was back at his desk.
KevAh, and he's here :)
dwdWell, that counts us as quorate if we need to decide anything, I think.
bearyep - I have the addresses, need to send them to Kev
Kevbear: I don't think I need them.
KevThe next step was Board deciding whether to send the books, I think.
dwdSo, stupid question - where are our students, georgaphically?
Kev(And then sending them)
bearall over the map
dwdKev, I think Board had already decided to send books, actually.
KevOh, ok.
Ashleyyeah, that's what i recall as well
KevI remember you saying Bear had to get a price based on where the students were and how much it'd cost to ship.
KevBut yay.
stpeterwe need to make sure that people get reimbursed appropriately this time, too!
dwdThat, as I recall, was related to a discussion on how to actually ship - basically, not getting all the books shipped to Mike and then him sending them air around the globe, or something.
dwdMore likely, we use the power of Amazon, or similar, to order the books locally near the students if at all possible.
bearGermany, Poland, Brazil
bearwe never had the books shipped to me - I used Amazon
bearand just entered gift addresses
stpeterIIRC we used amazon.co.uk for European orders before
bearyes
dwdstpeter, Amazon europe is one big thing, AFAIK, so they'll ship from whichever depot makes sense.
bearonly the China student caused a small issue, but that was because of how postal codes work, not Amazon.co.uk
bearso I will start the ordering tonight and send an email to the list with the details
dwdSo anyway, this means we can just order the books - anyone want to take responsibility for doing so?
dwdOh. Mike just has. Marvellous.
KevI think bear just has, which is great by me because I don't want to :)
KevThanks bear.
bearI will just need to remember to send peter the receipt this time
dwdbear, I don't *think* we need the details beyond the costs to any list.
stpeterdwd: agreed
dwdbear, In particular, I don't think we want the addresses anywhere near the list.
bearthe list sending is just my way of asking kev to poke me if he doesn't see it by monday
bearoh sure, by nature I'm a privacy nut, so that's a given
dwdOK.
dwdSo, browserid stuff.
dwdstpeter, I've noticed with some alarm that you've not said anything on this, yet - do you have any particular thoughts?
stpeterdwd: I thought it was a good idea when we discussed it in Brussels, but I've been pretty distracted for the last few weeks and I haven't made time to focus on it -- I will try to do that this weekend or next week
dwdOK, great. I just had a horrible vision of you saying "What on earth are you *thinking*!?", so I'm glad you think it's OK. :-)
stpeterdwd: I haven't delved into the technical details, but overall it seems like a good thing
bearI think Simon from buddycloud will also be helping (I don't know if they have announced their news yet re: Mozilla)
KevI haven't seen it announced anywhere yet.
bearthey are probably waiting on Moz then :/
dwdRight. I was looking at more technical detail on this, and I think there's some key chunks we can break out.
dwdBasically there's a couple of bits of spec (browser->XMPP, and site->browserid), plus the server implementation, plus the browser one.
dwdOf these, the bit I think we're going to struggle on is the browser-side implementation - the rest seem well within our areas of expertise, so we should manage to get these done.
stpeterdwd: I'm ashamed to admit that I haven't looked into BrowserID much yet, nor have I thought about the XMPP integration with XMPP -- do you have any kind of writeup or blog post that explores it?
dwdBut obviously the implementation work is somewhat gated on the specs.
stpeterer, s/XMPP// there
stpeteris pretty much flat out exhausted this morning
bearlet's post to the list a meeting request so folks interested can come
dwdstpeter, Shockingly, no. But Browserid itself is pretty simple. It's a case of browser gets an "assertion" (ticket) as a credential for a site from the security provider, and the site validates it with a single HTTP request to https://browserid.org/verify
dwdbear, Yeah, I thought that last time Florian was going to do that, but I may be mis-remembering, and I might have told him I would organize the meeting.
stpeterbear: well, yes
ZashI'd describe it as PKI with JSON
dwdZash, It's not even PKI, closer to Kerberos.
stpeterit would be good to schedule something a week in advance or somesuch, and preferably have a brief writeup that folks can read (and not just XMPP folks)
KevTwo great flavours that taste great together.
dwdstpeter, Right. I can probably manage the write-up.
stpeterdwd: yes, it does sound like Kerberos or even OAuth -- the same ticket pattern in all three cases
dwdstpeter, Right, so in our case what we do need to do is allow multiple verify URIs instead of just one centralized one.
KevSo we should just do Kerberos-over-XMPP, then. Simples.
ZashThe ticket can be validated without asking anyone
dwdZash, Really? Seems like you have to do a POST to the browserid URI.
Zashs/ticket/assertion/
stpeterdo the security providers register with Mozilla somehow?
dwdZash, Actually, I think you're volunteering to help me with the write-up.
stpeterand do feel free to tell me to RTFM :)
dwdstpeter, No, the browserid model helpfully only provides on security provider.
dwdstpeter, Which I think is daft anyway.
ZashThe browser has a key+certificate signed by the ID provider (browserid.org). To sign in somewhere, it sigs an assertion and sends that to the site, which can either ask the provider to verify it, or disassemble it and check it itself.
stpeteras I recall, the browserid.org page basically said "1. Collect Underpants 2. Magic Here 3. Profit"
bearit's a bit more than that now :)
bearinternally mozilla has gone "all in" for browserid - using it for our own tools
dwdZash, The info I can find suggests that a site can't verify the assertion itself.
Zashdwd: I'd rather think that's because they don't want to encourage people to write RSA code in PHP
dwdZash, Oh, then again, it actually says "The easiest way to do this". And that's easiest because there's no info on how else one might.
dwdZash, Right - if that's the case we need to figure out whather to continue with that model. But thanks for volunteering to work with me on a write-up.
ZashHeh :)
KevI think "Specs welcome" is one up from "Patches welcome".
dwdOK - so if we try to schedule another meeting next week sometime, does that work for everyone?
KevAnd we all know what the latter means...
dwdKev, That patches are welcome?
KevSomething like that.
KevIt was a FOSDEM joke, you had to be there...
stpeterdwd: in order to have enough notice and a short document for folks to read, it might need to be the week after (Monday or Tuesday or whatever)
stpetersay, May 22nd?
stpeteror the 23rd after the Council meeting?
dwdstpeter, Yeah - how about I (and Zash, now) figure out a detailed technical write-up, and then we send that out and schedule the meeting then?
stpeterthat sounds absolutely super
dwdRighty.
dwdOn that note, then, I think we may be done.
KevRighty. Thanks chaps.
stpeteropens a bunch of tabs about BrowserID
dwdbear, You've a contact who "really" knows about BrowserID, right?
bearyes
stpeterthat might be helpful :)
bearthe people who are writing the mozilla stuff
bearirc.mozilla.org #identity
dwdbear, Oh, OK. If I have a 1980's chat client somewhere I'll go join in.
bear:)
dwdgoes hunting for a vt100
bearI can make introductions if you want more of a small meeting type discussion
bearBen Adida is very approachable and he is the gateway to the entire Mozilla Identity (now called Personas) project
dwdOK, cool. If I have trouble getting in with the crowd, as it were, I'll give you a shout.
beark
dwdZash, So if I get this right, BrowserID is basically a CA?
ZashYes
ZashThere's some spec here https://github.com/mozilla/browserid/blob/dev/docs/PRIMARY_PROTOCOL.md
dwdZash, OK - so the BrowserId thing is basically verifying your email address, and then issuing a cert?
ZashYes.
dwdZash, Which suggests that *that* is the bit we could easily run over XMPP, actually. So do I have to verify my email address on every brwoser I use (laptop, desktop)?
ZashI suppose the browser prefs syncing should also sync your keys. The rest is up to the CA, it could (as browserid.org does) issue you a normal password that you log in with.
dwdWhat, for verifying? Or every time?
ZashIf your device doesn't have a cert, you're supposed to be provisioned one. How the CA determines who you are isn't in the spec afaik.
ZashBrowserID.org sends a verification email, then lets you choose a password. Then I suppose you could log in with that password to get a cert on another device.
dwdOK, so it's a global CA which has a single password per user.
dwdDoes it have a single X.500 directory behind it, too?
ZashHeh
ZashAt least you(r email provider) can run a CA too.
ZashFun, so the current implementation passes arround big numbers in decimal form. The JSON Web * specs says to base64 them.
XSF Discussion - 2012-05-11