-
dwd
Kev, WHile I remember, you had objections to my XEP-0001 pass; could you post them to the list so others can agree/disagree?
-
Kev
Yes. It's in my todo system. This isn't particularly time-critical though, is it?
-
dwd
Kev, I think that the correct thing is that Editor approves Humour, but will run things past COuncil members and other advisors individually to ensure sanity. Possibly mandate that it's never me, since it hasn't ever been as far as I know. :-)
-
dwd
I'd like to keep momentum up on the discussion, if possible, then we can get it all over with.
-
Kev
OK. I'll try to get to it sooner than later, then.
-
dwd
Ta.
-
Kev
I'm not really sure I like the thought of there being any XEPs for which the approving body isn't either Council or Board.
-
dwd
These *are* Humorous ones. Maybe it needs "in consultaion with the XMPP Council Chair" specifically?
-
Kev
It seems somewhat self serving, but I'd be happy with direct approval by council chair, yes.
-
Kev
Although TBH I'm not sure what the problem with just using Council is.
-
Kev
What usually happens is just someone says to Council, quietly, "I'll be writing along these lines" and Council says "Fine, go ahead".
-
Kev
The counter to "These *are* Humorous ones." being "These *are* XEPs".
-
Kev
If we went with XEP Editors, we'd need to put in place some sort of rules for meetings and approval process, I think, which we don't currently have.
-
Kev
And being able to take a XEP through every step of the process autonomously dramatically changes the scope of the Editor team.
-
Tobias
anyone happen to know if XEP-0027 also works for MUCs? and wether that's implemented?
-
Kev
27 doesn't even work for presence :)
-
xnyhps
27 doesn't work.
-
Kev
And no, it wouldn't work for MUC.
-
Kev
Basically, don't go near 27.
-
Tobias
ok
-
Tobias
with doesn't work for presence you mean you can't encrypt presence messages?✎ -
Tobias
with doesn't work for presence you mean you can't encrypt presence stanzas? ✏
-
xnyhps
You can sign presence or encrypt (but not sign) messages. That's all.
-
Kev
No, I mean that there's no protection against replay attacks.
-
Kev
It's full enough of holes that we should just stay well away.
-
Kev
Thus the mail I just sent to council@ about getting rid of it.
-
Tobias
PGP for email doesn't have that either, not?
-
xnyhps
Tobias: PGP signatures contain a datestamp.
-
xnyhps
in email.
-
Tobias
Kev, http://wiki.xmpp.org/web/XMPP_E2E_Security i've started to collect an overview about all proposals out there
-
Tobias
xnyhps, ahh..ok
-
Kev
You should probably mention that OTR doesn't have clean discovery.
-
Kev
Unless you know the person you're talking to has OTR from out-of-band discovery (e.g. talking to them), the experience is quite horrid.
-
xnyhps
I disagree with the "Yes"es for Authenticity and Integrity with PGP.
-
Kev
Right.
-
Tobias
xnyhps, it doesn't provide those?
-
xnyhps
Nope.
-
Kev
We should really forget 27 exists, and get rid of it.
-
xnyhps
Your messages aren't signed, any attacker can replace them with any other encrypted message.
-
Kev
Presumably in the other order, or we wouldn't remember what we were getting rid of.
-
Tobias
xnyhps, that's for XEP-0027, not for email usage of PGP right?
-
xnyhps
Yes.
-
Kev
Tobias: It provides complete protection as long as you have absolute faith in your server, their server, and all the networking in between.
-
Tobias
maybe i just expected XEP-0027 to be too much like email PGP
-
Tobias
Kev, right...why do i need e2e then
-
Tobias
:)
-
Kev
Yes.
-
Kev
See earlier question about burning 27 with fire.
-
xnyhps
+1 for fire.
-
Kev
s/question/comment/
-
Tobias
!xep 27 doesn't have discovery support either it seems
-
Tobias
at least i see nothing about disco in the XEp
-
Kev
Fire
-
Kev
It
-
Kev
Burn
-
Kev
With.
-
Tobias
updated the table...will add a couple sentences in the section above
-
xnyhps
I also disagree with the "No" for multiple resources for OTR.
-
xnyhps
But maybe it's also not "Yes". :P
-
Tobias
right..the detailed answer probably doesn't fit in a table cell
-
Tobias
but i could add a paragraph above in the section of OTR to it
-
Tobias
also wondering what version we should describe there? OTRv2 or OTRv3?
-
Tobias
what's used out there?
-
xnyhps
I don't actually know, beyond Pidgin and Adium.
-
xnyhps
(I'd also say "Malleable encryption" should be "n/a" for PGP, as it doesn't even have authenticity. Sorry for pestering you, I can't find my xmpp.org login.)
-
Kev
I wonder if it'd be interesting to do a 'real' gpg spec.
-
Tobias
it'd at least have great support for offline messages :)
-
Kev
It would.
-
Kev
And at least the methods for trust are established.
-
dwd
In fairness, XEP-0027 is better protection than many of the recent commercial "secure IM" services that seem to have sprung up.
-
Tobias
dwd, to what are you referring exactly?
-
dwd
Tobias, Most of the new security bandwagon services seem based around similarly, or worse, flawed models.
-
Tobias
*most* probably qualifies here, considering the ton on new services
-
Tobias
you guys know of any implementation of RFC 3923?
-
dwd
I don't. I have heard people say there hasn't ever been one.
-
dwd
In fairness, 3923 isn't even a bad design, as far as I can tell, it's just ugly.
-
Tobias
don't RFCs require implementation at some level?
-
dwd
Only to move to Draft, IIRC.
-
Tobias
ah..ok
-
dwd
Which is vaguely silly - they shifted the meaning of each level while keeping the requirements largely the same.
-
Ge0rG
isn't it finally time to consider one-to-one chats as a subclass of multi-user chats, security-wise? After all, you have your smartphone and your desktop connected (or connecting later) and want all your IM backlog there
-
Ge0rG
btw, how did WebRTC solbe the certificate/identity management problem for DTLS?
-
Ge0rG
*solve
-
Zash
There's a fingerprint in the SDP blob.
-
Ge0rG
Zash: how is that supposed to solve anything?
-
Tobias
users obviously will meet in person to validate those
-
Zash
And I don't know if there are actual certificates.
-
Ge0rG
if I meet my users in person, what do I need WebRTC for?
-
Zash
Ge0rG: Define "anything".
-
Ge0rG
Zash: anything is the set of IT security properties that a cryptographic protocol should be able to solve: integrity, authenticity, privacy, nonrepudiation|deniability, and one or more unimportant ones
-
Zash
Ge0rG: And a DTLS fingerprint does not?
-
Zash
Assuming you shuffle that securely to the other party, along with the rest of the SDP stuff
-
Ge0rG
Zash: so you are assuming a secure channel between two parties, which you use to construct a secure channel between these two parties?
-
Zash
The connection to a common server, yes. :)
-
Ge0rG
Zash: a trusted common server that does not manipulate your packets
-
Zash
Yes.
-
Kev
If you don't trust the server, when it's the server providing the application, you're in some amount of trouble.
-
Zash
That.
-
Ge0rG
ok, now that's where XMPP is different from WebRTC
-
Kev
Yes.
-
Ge0rG
does WebRTC support federation?
-
Kev
Different layer.
-
Kev
Or, kinda.
-
Ge0rG
(actually, that question does not matter.)
-
Ge0rG
I just realized that me trusting my own server does not help at all in establishing a federated session through a different, untrusted, server
-
Ge0rG
who can contribute to the xmpp.org wiki?
-
Zash
A bunch
-
Zash
You, if someone gets you an account :)
-
Ge0rG
ah, so the formal requirement is "get yourself added"
-
Tobias
right
-
Tobias
basically you just ask for an account in the jdev chatroom and some admin will likely create an account for you