XSF Discussion - 2013-11-20

I think that is Jers first post ever on a @xmpp.org list, isn't it?

fippo: which one?

standards list?

http://mail.jabber.org/pipermail/standards/2013-November/028280.html

Yeah, I think any previous have been before the Great XSF Renaming.

ralphm, It's the 15th of December we get a go/no-go for the FOSDEM Lounge, right? Do they normally hit that date or is there sometimes some slippage?

yes

no

Bedankt.

:-D

Maybe I could poke them a bit about it

It'd be useful to know as soon as, since we can begin planning more concretely, but I'd prefer not to annoy them.

Lloyd, Ashley Ward - Nice that your server broadcasts how it was shutdown.

If it does then I assume that's what Prosody does by default!

Ashley Ward, Yeah, seems so. Two restarts, eh?

Yeah. Lloyds been updating the TSL stuff on it in readiness for the 4th Jan

TSL = TLS

Right, yes. I think mine's about ready now. I've been trying to get otalk.im deployed, but it's not yet working for me.

Be interested to hear how you get on with that.

SLowly.

I'm really not experienced enough with Node and modern webapp stuff to figure out what's broken about it.

Hehe. Tell me about it - I've only barely figured out how all this node stuff works. I understand it okay as long as nothing goes too badly wrong!

I spent literally hours downloading extension after extension.

Edwin Mons did the same for our machine the other day. He experienced issues with both disabling SSL and compression.

Well, prosody failed to do any TLS if I disabled compression.

that counts as 'experiencing issues'

:-D

It does.

That might be due to the hackish nature of our setup, though. I had to do a bit of library mapping to get luasec to use the openssl from ports.

Instead of the system openssl.

(FreeBSD based)

FreeBSD? But you don't have a beard...

dwd: in spirit only ;)

Nor does Kurt, for that matter ;)

dwd: I have a beard

and we co-admin

dwd: although I really do need to shave. It's not a full beard yet.

Heh. Lisa Dusseault's applicaiton doesn't mention that she was the one who coined the term "stanza".

Voted. :-)

dwd: fix it for her, it's a wiki after all :P

dwd: she also denies coming from IRC ;-)

Nobody admits to any involvement there, though, right?

Voted as well. A shame dwd beat me to it ;)

isn't there a comment function in the Wiki?

Discussion page, at least - I've added a note there.

The talk page. But who looks there.

ya

Discussion, yes.

Both the new applicants look good. I also realise I know nearly every reapplicant personally, too.

OK, "Yes" isn't a valid response to the memberbot.

That seems a little bit overly restrictive.

Gosh. I hadn't actually noticed.

Just noticed Diana didn't reapply.

I also get the feeling Florian's heart wasn't really in this.

You'd think with all the time he had to spend on SFO, he'd have had ample time to create a beautiful page there.

That one might be my fault.

[17:26:45] David Cridland: Just put up a blank page, nobody reads them anyway. [17:30:00] Florian Jensen: lol [17:30:02] Florian Jensen: I'll try that

In fact, I'm not convinced that his application is legal.

Oh?

We have to provide affiliation information.

That is actually a good point.

Oh. Actually I can just add it into his application; assuming I'm right in thinking he's now working for Uber?

But no, we should just contact him, actually.

I think editing someone's application is not really the best of ideas...

I'm opposed to people editing other people's applications.

Edwin Mons, It doesn't seem quite right, does it?

dwd: that's one way of putting it.

On the other hand, it's too late to edit applications at this point.

Does Florian get disqualified on a technicality? That would be ... amusing?

So the only way he could be disqualified would be to argue that his written application is not in such a form as has been adopted by the Board.

I think, anyway. So we'd need to decide on what form actually has been adopted by the Board.

Which is listed on http://wiki.xmpp.org/web/Membership_Applications_Q3_2013, no?

OK, when was that adopted by the Board?

The list of required elements is quite clear.

dwd: You tell me, you're on the Board :)

Edwin Mons, As far as I can tell, the Board agreed a few years ago to require a full name, which is *not* listed there. Can't yet find if they require anything else.

I suspect the Board could, and should, issue an edict^W^W^Wadopt a resolution that an application must include full name, email, jid, and employment details. I'm struggling to find if the Board ever has done so in the past, though.

Also, reading the bylaws, I'm surprised to note that companies can be members too.

for reapplliers we never were that strict about this information. I guess because we assume that the info did not change and we got it with the 1st application

Right, something else for the Board to deal with, then.

yes

Alex, You were Chair when that Solarius guy stood without a real name - do you know if the Board "adopted such a form" about member applications then? I thought it did, but I can't find anything.

I think it did, but the members didn't accept it and voted him down.

Oh, so maybe we just didn't vote him in and left it.

it was a long discussion at that time, but I can't remember exactly what the conclusion was. But we accepted his application and at Fosdem verified his idendity when he showed up. That was a strange guy

I remember Christ had to share a room with him.

I've read through the members@ thread, and also the next Board minutes, and can't find any conclusion. Certainly no Board resolution.

Good thing we have voting-by-proxy, because the meeting is at Sinterklaasavond.

Mmmmmm... mini-cookies....

wow 6 voters in the first 60 minutes, looks like we can achieve a good turnout this quarter ;-)

If we can keep up the momentum...

http://wiki.xmpp.org/web/Membership_Applications_Q3_2013 might need an update.

For the meeting dates, you mean?

r

updated

Murky buckets.

Has memberbot dropped offline for anyone else?

Lloyd, Online for me.

Online here.

Lloyd: Check no-one's been fiddling with your server ;)

And responding.

Lloyd, Right, could be some dodgy sysadmin breaking things.

:P Changes were made last night, gave it a kick earlier for another reason

I quite like Brian Carpenter's note to ietf-disgust saying that the main advantage of all these multistakeholder meeting groups has been to mire all attempts by governments to put international treaties over the internet.

ietf-disgust... ;-)

Not, sadly, my gag. I forget who uses that; one of the ADs I think.

*possibly* Adrian Farrell.

update: think it was adium being a pita, using xmpp-ftw to vote intead :)

Heh

/Now/ memberbot isn't responding for me.

I've already voted, but it should still talk to me shouldn't it?

Ah, there it is. Just lagging a few minutes.

Same over here.

It's simulating a real human

or it's actually Alex simulating a bot

So you're saying there is no memberbot, just Alex?

Or that Alex is a bot faking being a human faking a bot?

Or there's no Alex, only the bot.

Hmm. I'm pretty sure I met someone who claimed to be Alex a few times.

Edwin Mons, Just shows how good that bot is.

Fair point. He/it sure passed the Turing test when I talked to him/it.

(Alex, not the memberbot)

kev: it was quite slow earlier

Lloyd, ALex, or the memberbot?

:) memberbot

Kev, You're Councilling today, aren't you?

and since membership voting and meetings actually *happen*, it must be stpeter simulating them both

dwd: Yes, 16:10Z

MattJ :D

dwd: Pam?

Kev, Just so I could wander into the room and nod politely.

dwd: like Kev does for Board?

I was very good!

Kev: one occasion is not a pattern, but can be a good start :-P

You might be overly optimistic if you want a pattern :p

5 minutes (or so) to the board meeting

current agenda: - Board Chair election - FOSDEM preparation update - IoT Liason update from Peter - Membership application question from Dave - Next meeting time

I sent through a couple of things regarding security

Simon had some stuff, didn't he? Or am I confused?

Right. Not too confused.

howdy

oh poo

good

I missed the last meeting, I huess treasurer and secretary is not yet elected?

huess==guess

No, we haven't yet reelected you.

had that in my notes and forgot to add that line

how are we on attendence today - me, dave, ralph, simon

has someone poked Laura

Laura sent apologies to the list.

Lloyd, I assume she's still caught in whatever she was called into?

bear, She's not online anyway.

By 'the list' is this members@ or board@?

yes

in the past I've encouraged the Board to consider the various "positions" (secretary, treasurer-always-unfilled, and executive director) in January after they've interacted a bit with those currently serving in those roles

Glad that's cleared….

perhaps it makes sense to formalize that

Kev, I can't remember where she sent her "I might not make it".

stpeter: I can see the logic in that, yeah

dwd: on the board list

(because sometimes we have new Board members and they don't know who all the people are)

stpeter, But not Chair?

her missing the meeting note went to the board list

dwd: the Board selects its own chair and needs to do that straightaway, methinks

ok, we have quorom, shall we start?

bear: please

+1

stpeter, Yes, I'm inclined to agree, but it's technically a position just like secretary etc.

the Secretary, Treasurer, and Executive Director are appointed or serve at the pleasure of the Board

IMHO

anyway

off you go :-)

any items that anyone want to add to the agenda?

(I know about the item that I missed from Simon)

ok, none given

ya, the current discussion about election schedules

Alex - noted

any others?

nope

first item: nominations for Board Chair so we can vote on them

I think you were going to discuss github for submissions, at some point.

yes, but I need to get the git mirror in place before letting the membership know it's a change (well, that's what I was thinking)

Nominations for Chair - do we have anyone who wants to nominate someone?

dwd: yeah sorry just caught up, she hasn't arrived back yet so I assume so.

I'm happy to do it, but happy to let you continue if you want.

ok, Dave has offered what can only be described as a passive aggressive nomination ;)

:-)

I nominate bear

ok

simon?

I read bear as nominating himself anyway. :-)

I was leading the charge for passive aggressive nominations

so either fight now, or vote ;-)

:)

What's Kev's role these days? Would he be eligible for nomination?

He's not on the board...

kev is a member of the council, not the board

Edwin Mons, The chair need not be on the Board.

dwd: ah :)

At least, I see nothing at all in the bylaws that would indicate that.

and voted by board members

or elected

Simon: did you want to nominate Kev?

The Board selects its chair, but the chair needn't be a Board member themselves. It's on a par with the other positions the XSF has, like Secretary, Treasurer, etc.

It would help if we outlined the responsibilites of the chair. What's their role?

running the meetings

/duties?

k

Simon: this is outlined in the by laws

That and, interesting, the Chair has the casting vote in the case of a tie.

it's purely administrative - there are some bylaw specific duties that being charted as a org requires

in all the time i've been aware of the board, I don't think we've ever had a tie

That's because we try to pick odd numbers for both Board and Council, I think.

(Less important for Council)

dwd: the Board has traditionally selected a Chair from among the Board members, but you're right that it's not required by the bylaws

Oh, I lie - it's the Executive Director that has the casting vote.

That sounds more familiar.

ok, the point still remains, does simon wish to nominate someone (or do ralph and dave wish to nominate anyone else)

I nominate Kev.

k

any others?

nope

dave?

No - without anyone else willing to nominate me, I'll withdraw, as well.

you don't have to withdraw IMO

No, I don't I don't have to. :-)

I know I don't have to, I mean.

ok, so we have two candidates: bear and kev

ok, so we now have two people, Kev and Bear

shall we vote?

yep

Erm, wait.

It'd be handy to know if Kev accepts the nomination, first.

Sure, what's the worst that can happen? :)

You get twice as many minutes to write up?

(I don't like people being on both Board and Council, but I don't think this counts as Chair gets no power)

Kev: that we vote for you and for all the other roles, too?

ok, Kev has accepted - ready to vote now?

Yup.

simon, ralph - ready?

yep

yeah

sound off then please

+1 for bear

+1 for Kev

+1 for bear

I was wondering about the wisdom of tying it, and therefore letting either Peter pick, or else making Laura do it instead.

i would say that we send it to laura if it tied

but I would also just remove myself and let kev do it - he has a very capable meeting running style

dwd: about the minutes, technically it is the Secretary's duty

I don't think it's appropriate for me to express a preference, given that the Board is the one determining whether I continue to serve as Executive Director with all its many perquisites of power

stpeter: tough luck, should have written the by laws better :-D

any opinion is always appreciated

I'll vote for bear. On balance, I think having Kev as Chair of both Board and Council would probably not be ideal.

the current board "season" has already proved to be very divergent from past ones

I want to note that I have to leave in a few minutes

Safe :)

dwd: agreed

ok, I see 1 for Kev and 3 for bear - that is done, i'll continue as Board Chair

woot

next agenda item: meeting time - shall we continue with bi weekly for next week and i'll post to the list for anyone to object?

+1

s/next week/next meeting/

simon, dave?

I think we agreed on a meeting this time next week anyway.

indeed

+1 for next week

k

But as for ongoing, I'd like to hear from Laura on whether there's likely to be too many clashes for her at this time.

meeting nextg week at the same time slot

agreed - we need to put this to the list so she has ample time respond yea/nea

why not weekly? fortnightly can get confusing ("do we have a meeting this week?") -- the meeting can always be short if there's not much to cover, as Council meetings are

stpeter: I suggested this before, and still agree

+1

Yes, I agree, weekly is better.

I find it works well for Council, even if half the meetings end up being "1. Roll call 2. Date of next"

noted, i'll reinforce that in the email

next agenda item i'm making FOSDEM report since ralph is time constrained

dwd had a short chat on this earlier this week

is there anything that is board actionable for FOSDEM yet?

no

Not yet. We're somewhat constrined because we can't really commit until we've heard whether we get the Lounge again.

we were talking about doing some kind of t-shirts/hoodies/whatever again

has the wiki page for the next summit been created so we can start to note details and pending decision items?

yeah, we formally won't know until half december

ah - ok

bear: I will do this tomorrow

eh

thanks ralph

Oh, we have quite a large page on SUmmit_15.

there is a summit page already, though

dwd: that's mostly a copy of previous editions

yea, it seemed overly detailed

ok, anything else needed for ralph and FOSDEM?

but I think a separate planning page for us would be good

with things like the gear we need and stuff

+1

shall we move on to the next item - IoT Liason report?

I was happy for the IoT mentioning some stuff for the XMPP UK meetup, and I'd love to have some stuff from them at FOSDEM

FOSDEM is even earlier than usual this year, so preparation in December will be important

ralphm: yes

the location is an ideal venue for things like this

FOSDEM is hardly earlier

one day or so

sure

FWIW, I'll be offline most of December and the start of Jan.

Simon: good for you :-)

:)

Simon: booh

ok, about liaison relationships...

peter - can you give your IoT liason update?

as you know, we've received a liaison request from ISO TC 122 (logistics stuff)

we need to finalize that

I did send an inquiry to them and they replied, so I will send information about that to the membership

it was a small issue

but we need to finalize it

I'll have time to do that now

I have also had some preliminary discussions with two other groups

We were finding out whether the specifications were under NDA or similar, weren't we?

not quite NDA

but they keep their specs under wraps until finished

Right.

so if we assign two people (or whatever) to be liaisons, those people couldn't share the documents with, say, any XSF member or even the Council

workaround: we could appoint the entire Council to be liaisons, but they might not care about the topics under consideration

but they would not be barred from discussion specific items with council?

I think at least one should be on the Council

ralphm: good idea

What is ISO TC 122? The best I coluld find was the ISO packaging committee

Simon: logistics

lorries and such

"this vehicle did not arrive at its scheduled location on time, has it been hijacked?" that kind of thing

fleet monitoring?

bear: as best I can determine, yes

We use TLS; we're immune to hijacking, right?

Right. What's the aim of liason - tech help or?

so let me describe the two other liaison relationships and then I think we can talk in general about our approach

I didn't even need to read the sender of that to know it was a DWD post.

:)

Simon: review their technical specs so that they don't use XMPP in silly ways

dave - can i watch you try to MiTM a lorrie session?

this

Sounds very useful and a good way to generate an XEP down the road.

the other two are IEC TC 57 (electrical grid stuff) and UPnP Forum

bear: Sorry, with that comment I'm forced to post http://b.oooom.net/1r8t

IEC TC 57 seems to be interested in using XMPP in ways similar to the OpenADR folks did in the USA, but globally

I reviewed the OpenADR work informally (no liaison relationship needed) last year

IEC is more formal

kev - that is an epic video IMO (and i'll stop derailing the thread now)

If they're extending, rather than using existing stuff, do we want them to do so within the XSF and the XEP framework, or don't we care?

so they'd want something similar to what we do with ISO TC 122

so far, these have not been extensions but "profiles" that re-use their existing XML payload formats

they're just using XMPP as a transport

at least during the initial phases

While on the subject of liason, it would be great to help out the mozilla folk more in their wg-presence list.

Simon: yes

the other liaison relationship people have been exploring with me is UPnP Forum, which is basing its "UPnP Cloud" technology on XMPP

https://mail.mozilla.org/pipermail/wg-presence/2013-November/000143.html

and there is a call tomorrow 10AM PST

stpeter, So how does the UPnP stuff work in terms of specification access?

(BTW, the last two have come about through people within Cisco poking me to help out since I'm the "XMPP Guy")

dwd: I am not sure yet about that -- the discussions have been quite preliminary and I don't know the details, although I was on a call with some of the UPnP folks recently and they asked me some technical questions about XMPP

since I work at Cisco and Cisco is a corporate member of these organizations, I haven't needed to sign an NDA or become a formal liaison or anything like that

but both IEC and UPnP Forum seemingly would like to also establish a more formal relationship

I'm happy to add my name to a list to help out with liason (inside or outside of any official role). Can sign any NDAs privately too.

That seems like really good news.

XMPP is now an old technology and these more formal SDOs are getting interested in using it :-)

so the question for the Board is, do we want to set some guidelines for establishing liaison relationships with other SDOs?

That's it I'm leaving - you make me feel old.

stpeter, It'd be useful to steer these guys into working "our" way as much as we can, but it's good that they're inetersted at al.

we have 3 in the pipeline now, and might have more in the future

I think we need to have a wiki page (or something) that outlines how a group can make contact with us for that

stpeter, Is there anything you need form us at this stage?

dwd: these organizations are quite formal in how they work, especially ISO/IEC -- they're multistakeholder organizations etc.

dwd: so I don't think we'll steer them anywhere :-)

dwd: I think we need direction from the Board about our preferred way of working here

at a minimum we can make sure XMPP is not dismissed for bad information or FUD

stpeter, Right, but since we have a formal membership, I was wondering if all members could get access to the specs for liason, etc.

e.g., "at least one Council member"

I guess this really depends what they are looking for? Technical help? Design help? Protocol approval?

dwd: typically these groups seem to want consolidated feedback, so opening up access to all XSF members might be complicated

dwd: e.g., do we need to take an XSF vote on our review feedback?

stpeter, Yes, we'd want communications to be formalized through a liason.

Simon: good question

this really sounds like something that the Council needs to be a part of - since that is the group the membership bestows formally the task of ensuring technical accuracy

So this could be a working-group scenario (probably staffed by fine council members)

stpeter, As far as choice of actual liason goes, the COuncil ought to be selecting the people.

Simon: in my experience so far, these groups have independently decided they want to use XMPP, but they're experts in other domains so they want someone who knows about XMPP to give them some design help with the XMPP aspects and review their work so that what they produce is consistent with the Tao of XMPP

dwd: I think that's something Board should give blessing to, if that's what we do.

I also think working group, maybe only with elected members from the council or board

I note that in the IETF, it's the IAB (not the IESG) that appoints liaisons

at first we could consider it a board+council working group and if membership expresses a strong desire we can make it another voted group?

These are people representing the XSF, in private. There's clearly relevance to both parties.

stpeter, Right, but the XSF Board isn't the IAB, the XSF Board is the ISOC Board.

dwd: no one knows what the IAB really is ;-)

but anyway, we need to figure this out

stpeter, However grew the biggest beard.

Whoever, even. My typing's gone today.

my preference is to have only a single liaison or a small number of them

not the whole Council or the whole membership

single liason from a small(ish) pool?

OK, so I'll suggest that the Council provides nominations for liasons to the Board on a per-project basis, and the Board ratifies that.

I'd be fine with the whole Council, actually, but they have enough to do

another question is whether liaisons need to be XSF members

dwd: that approach seems reasonable

I want to say yes to that - as liason will represent the XSF

Oh, indeed... Yes, I think we do want liasons to be XSF members typically.

bear: yes, I think so

It's not clear if we want this to be an unbreakable rule.

dwd: not clear to me either

I don't like unbreakable in general

:)

because a person may be needed due to problem space expertise

we could consider a liaison team to be a work team per the bylaws

(btw)

in that case we should have both

If we had, say, two people on the liason team, I'd be happy to mandate that one of them must be XSF.

yes

So let's do this on a case by case basis until we have a repeatable pattern. I'd be happy for the first liason to be made up of a council working group of ~3 people that feel strongly about the topic and can sign up/and sign an NDA to work on the topic.

stpeter, Yeah, that's XSF members only, right?

dwd: yes

peter - agree that liason should be a work team

bear, That does make it an unbreakable rule that the liasons are XSF members.

Is this a particularly productive discussion about a situation that hasn't come up? :)

ok, following simon's lead: we (the board) will ask the Council to nominate 2+ people to form the initial liason team and then iterate on that as needed

Simon: that's a good question, I don't know if these groups do have formal NDAs but it's something similar (and that's something the XSF is probably committing to by setting up a liaison relationship although right now I don't recall the details for ISO and I haven't heard about them yet for IEC or UPnP)

Kev: :)

Let's keep XSF members only for now. If something comes up where we can't fulfill that for some reason, we'll tackle it then.

Kev: I was suggesting that we use the work team model because it's already in the bylaws and we don't need to design new process for it

So, also, yes - use the work team model.

+1 to work team model

ok, do we have any other colour choices for this bike shed?

:)

bear, So I'd like to move that for any liasons, the COuncil nominates a small team (1-3 typically) to act as liason work team, which the Board ratifies.

http://xmpp.org/about-xmpp/xsf/xsf-bylaws/ Article VIII by the way

dwd: seems reasonable to me

I suggest that we take dave's summary as our actionable item for this

+1

ralph?

(wondering if he is even still here)

Gone I think.

But we're still quorate.

k

(just)

dwd: you love the word 'quorate' don't you?

Kev - what is the best place for the board to ask the council for this - on the mailing list?

members@ list I'd think :-)

Poke me on the Council list to put it on the agenda, I"d have thought.

other members might have ideas too

stpeter, You're upbraiding me for linguistics? Pot, kettle, black!

What's next on the agenda?

And sure, copy members@.

Peter - can we then get you to post that request for the current liason spot on members@ to the council

" - Membership application question from Dave"

bear: sure

Defer it until a next meeting.

bear: Poke me via IM to try and fix that, or Peter.

kev - will do

ok, dave's question is deferred to next

that leaves simon's item about planning for security day

bear: fixed

thank you sir

We really need a good set of technical documents on how to pass the security day. And we need to start ramping up publicity for it.

Simon, I'd rather defer your publicity questions until Laura is present.

I've tried to have some of these here. http://wiki.xmpp.org/web/Securing_XMPP

publicity we can do with laura - sure

we can raise the issue now to get started, most of this I think should be on members@ list

but we should think about nudging the different XMPP server groups to publish the bare minimum to pass the tests.

Simon: yes

I'll start this with a post to jdev

Simon: great!

and we should also ack the great work that thaijs has been doing on the xmpp.net project.

Simon: I'm happy to poke people like Matthias and Artur directly, too

that's the most amazing piece of light shining into the dark corners of insecurity.

agreed

Wish we had something like that to test XEPs :)

that is something we can discuss with Laura, ways to show focus on members activities

Simon: actually, the UPnP folks asked me about compliance testing suites but I didn't have much to offer

ok then that's my bit - but everyone please keep tweeting and mentioning the upcoming date.

4th Jan :)

Simon: will do!

if anyone wants to see a blog post happen, please do poke me via IM or email and I'll generate one

the DNSSEC stuff isn't doing any harm with the IAB either :) Dan York loves us.

yep!

Also pleasing to see Hannes joining in.

Dan and I plan to write an Internet-Draft about being a "Jabber scribe" (as they call it) during IETF sessions

Hannes?

another IETF character

Tschoffenig.

Author of the most Internet Drafts, I seem to recall.

right - so that's my security bit for this week.

Hannes Tschofenig

that is the last agenda item, any agenda bashing for this meeting?

no AOB here

None from me.

I note we need to think about GSoC at some point. Potentially not now.

noted

(But agenda for next week would be good, please)

I have a huge presentation to make internally in 15 minutes so I'll ignore this XMPP stuff for a little while

the only board business left to do is to affirm roles

secretary, ED and so on, but I don't mind at all deferring that to another meeting

so that the new board folks can acclimate

bear, stpeter suggested doing that in January.

+1 to that

ok, then I am calling this meeting done - any objections?

no objections here!

simon, dave?

done

Close away.

any volunteer for meeting minutes - if not, I will do them tonight

gotta run, bbl

and I'll post the meeting announcement with agenda list to members@ tonight also

ok, meeting is done

minutes and agenda will be sent to members@ by me tonight

thanks all for a most epic meeting

Yup. Epic. :-)

yea, seriously not a Kev quality meeting today ;)

Four times as good as a Council meeting? :)

:)

board meeting notice sent to members@

more details to follow, switching of to $dayjob now

s/of/over/

My understanding is that all that's going to happen on 4th January is that people will need to have some sort of cert in place, is that right?

(That is - no-one's going to be requiring TAs and valid certs)

kev: that is my understanding as well. require TLS, but don't check certs

reminds me that technically we should have a spec for starttls+dialback by then

Good, it'd be a shame to have to replace my five-year-old cert. I've gotten attached to it :D

that's actually one of the questions we need to work out for that

i'll be sad to see fippo have to replace his cert too :p

I'd say that for starttls+dialback only non-trusted or self-signed are egibly

but no certs that have expired or where the hostname doesn't match

Because a self-signed cert that's expired is less trustworthy than a selfsigned that hasn't?

no. because expired certs like mine should break

so i am forced to update it

and more important, so i notice something is wrong

And ADH is better or worse than an expired self-signed cert? :)

i dont think 6120 allows ADH :-p

but yeah, it's not a security question

Oh, does it not?

I can't find anything immediately disallowing anonymous suites.

right

it talks about a certificate in alot of places though.

It's not immediately clear to me that anonymous+dialback is any worse than untrusted+dialback

Is it?

i think they're the same as far as starttls+dialback is concerned

untrusted+dialback has some advantages for d-w-d

And pinning.

Interestingly, though, -PLUS+ADH would still be better for clients that any other mech+a trusted cert, I think?

Well, depends what you consider the attack to be, I guess.

With -PLUS I don't think it matters whether you use ADH or any kind of cert

It does if you think the password might be compromised elsewhere.

hey - can I suggest you guys talk about this over in jdev?

The XSF isn't an appropriate venue? :)

it is - was just tyring to raise the awareness higher and jdev has more lurkers

Simon, the "Securing XMPP" is making me uneasy

^ +page

what's up?

It's just looking so complex...

I know.

when the correct answer for Prosody users is really just... make sure you're running the latest versions of everything

I can't speak for other implementations

DANE is complicated and would need a whole tutorial by itself, it's not production-ready yet IMHO

Agreed. Let's cut it out.

We need better docs, but I don't think it belongs in a high-level page such as this

I need to work with Zash and other folk who have it deployed already to document it

mod_s2s_auth_dnssec_srv isn't DANE

More testers and we can iron out the implementation and setup procedure

Presumably on 4th Jan ops will need to add c2s_require_encryption = true s2s_require_encryption = true ?

Zash, there was a mod_dane or something though?

MattJ: No

Simon, yes, that makes sense - I'm happy with that being on that page

But cipher strings and such... I'd rather users just leave that stuff to us, unless they really know what they are doing

Also Prosody seems to treat client and s2s connections the same.

So we should just have a general section.

Treat how?

I mean with keys and ciphers.

Yes, it does (though in trunk you can separate them - most people don't need/want this)

But yeah - it's late now, but I'd like to restructure the page more as a "for things to work on 4th Jan, you need to add the following to different servers" page.

Promise to look at this in the morning.

I can help with that perhaps, I think most of the information is there now

It just needs restructuring and simplification

boiling down to the essentials

I suggest we structure it by Server, not c2s and s2s as teh page is done now.

Agreed

then we have just the commands for each server.

I think that will help a lot

yep

+1

that all sounds good

Oh, and that reminds me I have some stats to post to jdev

stats++

BTW, I ran into a bit of an issue with Prosody. I'd sort of assumed that I didn't need to install an intermediate certificate from my ca. Found out the hard way.

yeah, intermediate certs are a pain

it might be nice to be more explicit about this in the docs.

http://prosody.im/doc/certificates#certificate_chains

/might be nice if I read the docs.

you could loose the link to xmpp ica. :)

A certificate issues by an intermediate CA is rarely usable on a server without the ICA's cert somewhere

Yes, I'll fix that :)

*issued by

XMPP.net is great for testing these things though :)

yeah for sure, Thijs rocks

+1

+1

about 1000 times as much as my 2007 openssl s_client patches ;-)

we should give Thijs an award of some kind at the next Summit :-)

free spare ribs?

I still have on my desk the "Jimmie" award I earned in 2000 :-)

:)

"Best Performance by a Deity" :-)

+1 on awards.

I need to take a picture of that

Simon, I've updated the docs on ICAs and simplified the wording now

excellent :)

I'm re-layingout the wiki page now.

to the chagrin of "come to bed now Simon"

what is wrong with me.

:)

ok - slightly better formatted now.

http://wiki.xmpp.org/web/Securing_XMPP

Perhaps we add "optional" to the gmail.com exclusion

And that's also not going to work

Yeeah, we have a small issue there

s2s_insecure_domains isn't exceptions to the encryption requirement

I'll let you guys look after the prosody config :)

I can hack this into mod_manifesto though perhaps :)

can we do even unauthenticated encryption with gmail? even anon-DH would be better than nothing

stpeter, nope

They have no TLS whatsoever

Simon: thanks for the updates, time to go to bed!

sigh

stpeter: +1

gnight

they're encrypting stuff between their data centers like made, but don't care about user communications?

s/made/mad/

and Prosody's s2s_require_encryption has no exclusion list

That could be a bit killer. Certainly for me I'm not goting to get a bunch of folk off gmail for a while.

Simon: yeah I know :(

Simon: worry about that tomorrow, ok? ;-)

deal

night all

:)

'night :)

I see gmail folks moving on this only after we can show serious peer pressure that they are the *last* one to be insecure

yes

Call me cynical, but I doubt it somehow

perhaps they'd rather turn off federation entirely

yea

I think federation is hanging by a thread (or maybe a piece of string) - their reaction to the peer pressure could be that someone there realises this is their last insecure service

and then decides it's best turned off

right

everyone move to Hangouts and be done with that pesky interoperability stuff

:)

sit in your silo and be happy already

heh

Matt - what is happening with your sign-up service?

Simon: go to bed already!

Simon, you were getting some sleep

and... I'm hoping to get to it at the weekend

Simon: I'm going to kick you out!

someone just kick him from the room already :p

It's currently a weekend-only project (I'd like to remove myself as the bottleneck ASAP though... get it up on github or something)

psa means business

LOL

does prosody (or other xmpp servers) allow UDP connections?

hmph

and ... I see Matt answering

hmph, I can't figure out how to kick people in Adium :P

bear, XMPP over lossy transports will be... unpleasant ;)

/help

hmph

ugh - it won't let a mod kick a mod

no, it's a UI or PEBKAC issue

I just tried it using swift

I can't figure out how to kick anyone

Occupant role change failed: Not allowed

that's the error I got

damn MUC protections!

security be damned!

bear, XEP-0045 says you have to demote first :)

stupid specs

evil corporations defined this garbage!

heh

alright guys, lets make a new room and all move there

I'm sure half the people on standards@ would agree with you

and the other half won't

well, Simon got the message :P

:)

MattJ - yea,udp seems overkill, maybe they are solving/asking the wrong question

If they really want presence over UDP... SIP? :)

stpeter: maybe not

ralphm: we just don't know, do we? if the right people read your + posts, things will all turn out well ;-)

stpeter: hmm. I think the technical people mostly did, but have no say

ralphm: likely

which post?

that's how big companies often work (i.e., evil corporations)

I like how hangouts recently addes things like moods, in-call and device status. http://m.iclarified.com/entry/index.php?enid=35592

adds

bear: the ones rectifying google back in May

ah - ok, thought maybe I broke my reading list again

but eh PEP