- Jef has joined
- luca tagliaferri has left
- luca tagliaferri has joined
- luca tagliaferri has left
- Zash has left
- Jef has left
- Zash has left
- Zash has left
- stpeter has joined
-
stpeter
dwd: does the Board have a meeting soon?
-
Kev
30 seconds.
-
Kev
According to the ML anyway.
-
stpeter
that *is* soon
-
stpeter
I'm shocked to be here on time
- Ashley has joined
-
Ashley
hey y'all
-
stpeter
hi Ashley
-
dwd
Yes, gosh. Meeting time already.
-
dwd
Although we're rather less than quorate.
-
Kev
I think bear was expecting to be here?
-
dwd
Yes. It was amazingly short notice, really.
-
stpeter
dwd: what are the topics for discussion, formal or informal?
-
dwd
Well, there's this browserid project.
-
dwd
Plus I think Mike and Florian were doing things with book shipping to GSoC students.
-
dwd
bear, Hiya.
- bear is here
-
Kev
I poked bear about that yesterday, he was going to check he had all the addresses for ordering books when he was back at his desk.
-
Kev
Ah, and he's here :)
-
dwd
Well, that counts us as quorate if we need to decide anything, I think.
-
bear
yep - I have the addresses, need to send them to Kev
-
Kev
bear: I don't think I need them.
-
Kev
The next step was Board deciding whether to send the books, I think.
-
dwd
So, stupid question - where are our students, georgaphically?
-
Kev
(And then sending them)
-
bear
all over the map
-
dwd
Kev, I think Board had already decided to send books, actually.
-
Kev
Oh, ok.
-
Ashley
yeah, that's what i recall as well
-
Kev
I remember you saying Bear had to get a price based on where the students were and how much it'd cost to ship.
-
Kev
But yay.
-
stpeter
we need to make sure that people get reimbursed appropriately this time, too!
-
dwd
That, as I recall, was related to a discussion on how to actually ship - basically, not getting all the books shipped to Mike and then him sending them air around the globe, or something.
-
dwd
More likely, we use the power of Amazon, or similar, to order the books locally near the students if at all possible.
-
bear
Germany, Poland, Brazil
-
bear
we never had the books shipped to me - I used Amazon
-
bear
and just entered gift addresses
-
stpeter
IIRC we used amazon.co.uk for European orders before
-
bear
yes
-
dwd
stpeter, Amazon europe is one big thing, AFAIK, so they'll ship from whichever depot makes sense.
-
bear
only the China student caused a small issue, but that was because of how postal codes work, not Amazon.co.uk
-
bear
so I will start the ordering tonight and send an email to the list with the details
-
dwd
So anyway, this means we can just order the books - anyone want to take responsibility for doing so?
-
dwd
Oh. Mike just has. Marvellous.
-
Kev
I think bear just has, which is great by me because I don't want to :)
-
Kev
Thanks bear.
-
bear
I will just need to remember to send peter the receipt this time
-
dwd
bear, I don't *think* we need the details beyond the costs to any list.
-
stpeter
dwd: agreed
-
dwd
bear, In particular, I don't think we want the addresses anywhere near the list.
-
bear
the list sending is just my way of asking kev to poke me if he doesn't see it by monday
-
bear
oh sure, by nature I'm a privacy nut, so that's a given
-
dwd
OK.
-
dwd
So, browserid stuff.
-
dwd
stpeter, I've noticed with some alarm that you've not said anything on this, yet - do you have any particular thoughts?
-
stpeter
dwd: I thought it was a good idea when we discussed it in Brussels, but I've been pretty distracted for the last few weeks and I haven't made time to focus on it -- I will try to do that this weekend or next week
-
dwd
OK, great. I just had a horrible vision of you saying "What on earth are you *thinking*!?", so I'm glad you think it's OK. :-)
-
stpeter
dwd: I haven't delved into the technical details, but overall it seems like a good thing
-
bear
I think Simon from buddycloud will also be helping (I don't know if they have announced their news yet re: Mozilla)
-
Kev
I haven't seen it announced anywhere yet.
-
bear
they are probably waiting on Moz then :/
-
dwd
Right. I was looking at more technical detail on this, and I think there's some key chunks we can break out.
-
dwd
Basically there's a couple of bits of spec (browser->XMPP, and site->browserid), plus the server implementation, plus the browser one.
-
dwd
Of these, the bit I think we're going to struggle on is the browser-side implementation - the rest seem well within our areas of expertise, so we should manage to get these done.
-
stpeter
dwd: I'm ashamed to admit that I haven't looked into BrowserID much yet, nor have I thought about the XMPP integration with XMPP -- do you have any kind of writeup or blog post that explores it?
-
dwd
But obviously the implementation work is somewhat gated on the specs.
-
stpeter
er, s/XMPP// there
- stpeter is pretty much flat out exhausted this morning
-
bear
let's post to the list a meeting request so folks interested can come
-
dwd
stpeter, Shockingly, no. But Browserid itself is pretty simple. It's a case of browser gets an "assertion" (ticket) as a credential for a site from the security provider, and the site validates it with a single HTTP request to https://browserid.org/verify
-
dwd
bear, Yeah, I thought that last time Florian was going to do that, but I may be mis-remembering, and I might have told him I would organize the meeting.
-
stpeter
bear: well, yes
-
Zash
I'd describe it as PKI with JSON
-
dwd
Zash, It's not even PKI, closer to Kerberos.
-
stpeter
it would be good to schedule something a week in advance or somesuch, and preferably have a brief writeup that folks can read (and not just XMPP folks)
-
Kev
Two great flavours that taste great together.
-
dwd
stpeter, Right. I can probably manage the write-up.
-
stpeter
dwd: yes, it does sound like Kerberos or even OAuth -- the same ticket pattern in all three cases
-
dwd
stpeter, Right, so in our case what we do need to do is allow multiple verify URIs instead of just one centralized one.
-
Kev
So we should just do Kerberos-over-XMPP, then. Simples.
-
Zash
The ticket can be validated without asking anyone
-
dwd
Zash, Really? Seems like you have to do a POST to the browserid URI.
-
Zash
s/ticket/assertion/
-
stpeter
do the security providers register with Mozilla somehow?
-
dwd
Zash, Actually, I think you're volunteering to help me with the write-up.
-
stpeter
and do feel free to tell me to RTFM :)
-
dwd
stpeter, No, the browserid model helpfully only provides on security provider.
-
dwd
stpeter, Which I think is daft anyway.
-
Zash
The browser has a key+certificate signed by the ID provider (browserid.org). To sign in somewhere, it sigs an assertion and sends that to the site, which can either ask the provider to verify it, or disassemble it and check it itself.
-
stpeter
as I recall, the browserid.org page basically said "1. Collect Underpants 2. Magic Here 3. Profit"
-
bear
it's a bit more than that now :)
-
bear
internally mozilla has gone "all in" for browserid - using it for our own tools
-
dwd
Zash, The info I can find suggests that a site can't verify the assertion itself.
-
Zash
dwd: I'd rather think that's because they don't want to encourage people to write RSA code in PHP
-
dwd
Zash, Oh, then again, it actually says "The easiest way to do this". And that's easiest because there's no info on how else one might.
-
dwd
Zash, Right - if that's the case we need to figure out whather to continue with that model. But thanks for volunteering to work with me on a write-up.
-
Zash
Heh :)
-
Kev
I think "Specs welcome" is one up from "Patches welcome".
-
dwd
OK - so if we try to schedule another meeting next week sometime, does that work for everyone?
-
Kev
And we all know what the latter means...
-
dwd
Kev, That patches are welcome?
-
Kev
Something like that.
-
Kev
It was a FOSDEM joke, you had to be there...
-
stpeter
dwd: in order to have enough notice and a short document for folks to read, it might need to be the week after (Monday or Tuesday or whatever)
-
stpeter
say, May 22nd?
-
stpeter
or the 23rd after the Council meeting?
-
dwd
stpeter, Yeah - how about I (and Zash, now) figure out a detailed technical write-up, and then we send that out and schedule the meeting then?
-
stpeter
that sounds absolutely super
-
dwd
Righty.
-
dwd
On that note, then, I think we may be done.
-
Kev
Righty. Thanks chaps.
- stpeter opens a bunch of tabs about BrowserID
-
dwd
bear, You've a contact who "really" knows about BrowserID, right?
-
bear
yes
-
stpeter
that might be helpful :)
-
bear
the people who are writing the mozilla stuff
-
bear
irc.mozilla.org #identity
-
dwd
bear, Oh, OK. If I have a 1980's chat client somewhere I'll go join in.
-
bear
:)
- dwd goes hunting for a vt100
-
bear
I can make introductions if you want more of a small meeting type discussion
-
bear
Ben Adida is very approachable and he is the gateway to the entire Mozilla Identity (now called Personas) project
-
dwd
OK, cool. If I have trouble getting in with the crowd, as it were, I'll give you a shout.
-
bear
k
-
dwd
Zash, So if I get this right, BrowserID is basically a CA?
-
Zash
Yes
-
Zash
There's some spec here https://github.com/mozilla/browserid/blob/dev/docs/PRIMARY_PROTOCOL.md
-
dwd
Zash, OK - so the BrowserId thing is basically verifying your email address, and then issuing a cert?
-
Zash
Yes.
-
dwd
Zash, Which suggests that *that* is the bit we could easily run over XMPP, actually. So do I have to verify my email address on every brwoser I use (laptop, desktop)?
-
Zash
I suppose the browser prefs syncing should also sync your keys. The rest is up to the CA, it could (as browserid.org does) issue you a normal password that you log in with.
-
dwd
What, for verifying? Or every time?
-
Zash
If your device doesn't have a cert, you're supposed to be provisioned one. How the CA determines who you are isn't in the spec afaik.
-
Zash
BrowserID.org sends a verification email, then lets you choose a password. Then I suppose you could log in with that password to get a cert on another device.
-
dwd
OK, so it's a global CA which has a single password per user.
-
dwd
Does it have a single X.500 directory behind it, too?
-
Zash
Heh
-
Zash
At least you(r email provider) can run a CA too.
-
Zash
Fun, so the current implementation passes arround big numbers in decimal form. The JSON Web * specs says to base64 them.
-
Zash
Suddenly, JSON and base64 everywhere!
- Ashley has left
- Ashley has joined
- Jef has joined
- stpeter has left
- Jef has left
- Jef has joined
- Jef has left
- Neustradamus has left
- Ashley has left
- Jef has joined
- Ashley has joined
- Ashley has left
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- luca tagliaferri has left
- luca tagliaferri has joined
- luca tagliaferri has left
- Zash has left
- Jef has left
- Zash has left
- Zash has left
- stpeter has joined
- Ashley has joined
- Ashley has left
- Ashley has joined
- Jef has joined
- stpeter has left
- Jef has left
- Jef has joined
- Jef has left
- Neustradamus has left
- Ashley has left
- Jef has joined
- Ashley has joined
- Ashley has left
- Jef has left
- Jef has joined
- Jef has left
- Jef has joined
- Jef has left