XSF Discussion - 2014-03-06

  1. Zash has left
  2. Ash has left
  3. Tobias has left
  4. Alex has joined
  5. intosi has joined
  6. emcho has joined
  7. intosi has left
  8. intosi has joined
  9. emcho has left
  10. m&m has joined
  11. m&m has left
  12. emcho has joined
  13. emcho has left
  14. emcho has joined
  15. emcho has left
  16. Zash has joined
  17. emcho has joined
  18. Ash has joined
  19. Lloyd has joined
  20. m&m has joined
  21. martin.hewitt@surevine.com has joined
  22. fippo "There is a lesson here. Standards are there to make your life easier." -- http://www.chriskranky.com/amazon-mayday-maybe-using-webrtc-cares/
  23. m&m I thought standards are there to prove I'm right, for all values of "right"
  24. fippo they're terribly useful for that, too
  25. simon has joined
  26. ralphm https://twitter.com/MaciejMusialik/statuses/441515074063466496
  27. m&m sadly too true
  28. ralphm but fippo is fixing that, right fippo, right????
  29. Zash has joined
  30. fippo later today (-:
  31. fippo after talky finally has its turn servers
  32. ralphm awesome
  33. m&m btw: there is a TRAM working group that is improving TURN
  34. m&m if you're not already paying attention there, I think we should
  35. m&m (TRAM working group at the IETF)
  36. fippo i'm paying attention
  37. fippo but my need for turn is mostly satisfied by draft-uberti-behave-turn-rest ;-)
  38. emcho has left
  39. Zash And there's a TRAM session later today
  40. dwd Oh, I forgot about DANE.
  41. Zash And that's now :)
  42. m&m is TRAM today?
  43. fippo https://twitter.com/danyork/status/441503787560493056 <-- there was no space left
  44. m&m oi
  45. m&m too many conflicts
  46. dwd Zash, Indeed. Is it interesting?
  47. emcho has joined
  48. dwd I think, looking at the agenda, I've missed everything I meant to listen in on anyway.
  49. Zash m&m: or .. I might have been looking at yesterday
  50. Zash so nm
  51. Zash dwd: Interesting. But now it's semantics ^^
  52. Tobias has left
  53. Tobias has left
  54. ralphm dwd: way to go
  55. Tobias has left
  56. dwd In my defence, I've been quite preoccupied recently. :-)
  57. Tobias has left
  58. Tobias has left
  59. emcho has left
  60. Kev I'm vaguely regretting only turning up for Tuesday.
  61. dwd If timing had been different, I'd have thoroughly enjoyed turning up for the week.
  62. Kev This week wasn't convenient for me, I had to be home yesterday.
  63. dwd I'll just have to go to Hawai'i instead.
  64. Zash Haha
  65. dwd Zash, Someone's got to do the hard jobs, you know.
  66. m&m you clearly weren't at the admin plenary; Hawai'i is a terrible burden to go to
  67. emcho has joined
  68. fippo but all the important decisions will be made there
  69. dwd fippo, Put your expense claim in early.
  70. fippo so like it or not, you have to go
  71. Kev Right. Certificates for XMPP servers. Do folks still use startcom?
  72. Zash Folks do, yes.
  73. dwd I went for a Comodo cheap-but-not-free cert.
  74. m&m there's quite a few
  75. Kev How cheap is cheap, and why is it better than free? :)
  76. dwd I think my two certs were somewhere around £15.
  77. dwd StartCom are free, but revokation costs about £50, whereas it's free with me.
  78. intosi has left
  79. intosi has joined
  80. m&m that is a good point
  81. m&m you want revocation to be cheap, in case you get compromised
  82. dwd So to some extent, I'm paying for a brand I trust to know what they're doing, and paying an insurance premium.
  83. dwd m&m, Right, I don't want to get compromised and *then* stung for a hefty fee.
  84. Kev "Starting from £41.95 per year"
  85. Kev This sound like significantly more than £15.
  86. m&m I think Startcom is free if you paid for a premium cert
  87. dwd https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
  88. Kev dwd: The text on https://www.namecheap.com/security/ssl-certificates/comodo/essentialssl.aspx, which is the £15ish one, seems to suggest it's single-domain-only (i.e. no MUC child). Sound about right?
  89. dwd Ah, yes. My two are single domain. But dave.cridland.net was covered, unlike StartCom.
  90. dwd FWIW, I think mine are the top one on that page.
  91. dwd I have one for cridland.im and one for dave.cridland.net
  92. Kev Ah, the £6/year ones?
  93. dwd Right. I think. :-) It was a while ago.
  94. Kev It's entirely unclear to me what the difference between PositiveSSL and EssentialSSL is :)
  95. dwd Ah, that one has unlimited reissues. Let me dig through and see what I have.
  96. Kev Murky.
  97. dwd Ah, so I have EssentialSSL certificates. I have a feeling they were on offer when I bought them.
  98. dwd So these have a "site seal", which I don't bother with, "mobile browser support", which I don't think means much, and unlimited reissues (ie, for compromise or whatever).
  99. Kev Getting two or three EssentialSSL certs seems a tad expensive.
  100. Kev £43/year or whatever. Almost worth going with a filthy wildcard at that price.
  101. Tobias startcoms wildcards are $60 a year it seems
  102. Tobias startcoms wildcards are $60 for two years it seems
  103. dwd Hmmm. We could always see if we could persuade a CA or two to give XMPP folk a discount because we're so lovely.
  104. Kev Temptation to just get a couple of these £5/year certs is fairly strong. Although I don't see anything about the reissues on the pages.
  105. dwd Right, I think on compromsie you pay again.
  106. Zash has joined
  107. dwd But they have a "live chat" thing which has people who're knowledgeable about these things.
  108. Zash has joined
  109. dwd By which I mean they'll be able to tell you about revokation etc, not that they can tell you much of note about odd X.509 features.
  110. dwd Kev, Benefits of working for Isode - discover you now know more about X.509 than most CA employees purely by osmosis.
  111. Zash Hahaha
  112. simon you can get free wildcard certs for opensouce projects from Globalsign.
  113. Tobias and startcom charges for all revocations, except for their EV certs http://www.startssl.com/?app=25#72
  114. m&m dwd: you almost say that like it's a good thing
  115. simon https://www.globalsign.com/ssl/ssl-open-source/
  116. dwd m&m, If only it was.
  117. m&m Tobias: right. "premium" (-:
  118. Kev simon: Ta. This is for my own server, rather than an OSS project.
  119. m&m has left
  120. m&m has joined
  121. simon Kev: with a free cert from startcom you would be able to cover muc.<domain> and <domain> since they always fill out the altname too
  122. Kev Right. That was how this conversation started :)
  123. Kev Although if I wanted to bring channels.doomsong back to life, I'd need a third domain :)
  124. Tobias or an additional cert just for that
  125. m&m has left
  126. simon Tobais: I don't think that would work - at least not from startcom - they notice that you are trying to get another free one for the same domain.
  127. Zash has left
  128. Tobias simon, i didn't mean from startcom...right..they'd probably notice :)
  129. intosi You can certainly request foo.domain.tld and bar.domain.tld at StartCom.
  130. dwd simon, What's actually in a StartCom cert these days?
  131. simon no matter what you put in your generated cert, they remove it all and put <domainname> and a hostname portion that you can select.
  132. dwd Right, I remember that, but what's in the Subject, and what SANs are in it?
  133. intosi for one of my keys, I have roughly this:
  134. intosi Subject: description=7u4x3xy29u755HYu, C=NL, CN=owncloud.ik.nu/emailAddress=hostmaster@ik.nu
  135. intosi X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Key Identifier: 72:CE:E6:0C:5F:D5:EA:54:BB:F9:A8:42:28:AF:F9:DE:60:DA:9F:F5 X509v3 Authority Key Identifier: keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45 X509v3 Subject Alternative Name: DNS:owncloud.ik.nu, DNS:ik.nu X509v3 Certificate Policies: Policy: Policy:
  136. intosi That's a regular one, not one I requested for XMPP.
  137. dwd notes intosi has now learnt all the right terms by osmosis, and probably knows what the two-attribute RDN in the subject is called by now.
  138. intosi Those have othername fields in the SAN
  139. dwd intosi, Right, Sodium will tell you what those are, mind. There's a tool I miss having around.
  140. Kev dwd: I think if you'd seen the 16.3 MLC (which doesn't exist yet, but we know what's coming), you'd miss having that around as well :)
  141. Kev 16.2 MLC is really rather good, mind. What was the last version you saw?
  142. intosi Kev, dwd: :D
  143. dwd Kev, A R15.X, which was certainly getting there.
  144. Kev Ah. Worlds apart :)
  145. simon What was the deal with special XMPP certificates a few years ago? What was different about them?
  146. Kev simon: They had the right SANs in.
  147. simon ah
  148. dwd simon, As I recall, they listed SANs, but had some funnies around the sRVName SANs they used.
  149. Kev dwd: I think the XSF certs were correct, IIRC.
  150. Kev Back when we had an ICA.
  151. simon Why would a normal alt-name not work?
  152. Kev simon: It's not 'not work', it's just that certs should be specialised for the service they're protecting.
  153. dwd simon, It would, but older servers were fairly restrictive in what SANs they used.
  154. dwd simon, ALso, there's no such thing as a "normal alt-name". :-P
  155. dwd simon, The Subject is a DN, originally meant to be your entry in the global X.500 directory. The Subject could have alternative names (added in v3), which are all typed. dNSName is the hostname type, and otherName is an extendable type where both sRVName and xmppName live.
  156. intosi Which openssl conveniently refuses to display ;)
  157. simon dwd: you really need to start a CA
  158. intosi simon: we somewhat jokingly discussed this a feww years ago, but I think the rough consensus was that running it would be entering a world of pain.
  159. Kev In practical terms, yes. Although in technical terms, Sodium CA makes all this rather easy.
  160. dwd simon, I've also contemplated a CA based around leap-of-faith verification before.
  161. Kev I do have my own CA I use 'internally'.
  162. dwd Kev, Technically, yes; I think the objections were more political ones.
  163. Kev Right.
  164. intosi Running your own CA isn't the world-of-pain part. Getting your CA accepted as a trust anchor in major browsers is.
  165. Tobias the pain of getting it in the major OSes and browsers
  166. Kev If it was a CA for XMPP, you don't need to do that.
  167. Tobias you'd need to provide guides for all XMPP servers how to add your CA to the trusted ones
  168. dwd Kev, That's true, in some respects. Though you need to get it in all the XMPP implementations.
  169. emcho has left
  170. Tobias still failed to add CAcert as trusted on my bsd system....but i haven't spend more than half an hour on that yet
  171. simon https://bugzilla.mozilla.org/show_bug.cgi?id=647959
  172. Tobias has joined
  173. Tobias has joined
  174. Tobias has left
  175. m&m has joined
  176. Zash has joined
  177. m&m has left
  178. m&m has joined
  179. emcho has joined
  180. ralphm I got an Ubuntu update pushed today that removes CACert as a CA
  181. Zash saywat
  182. Tobias ubuntu only or did debian get rid of it too?
  183. ralphm dunno
  184. Zash ralphm: What Ubuntu version?
  185. ralphm 13.10
  186. ralphm https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1258286
  187. intosi http://changelogs.ubuntu.com/changelogs/pool/main/c/ca-certificates/ca-certificates_20130906ubuntu2/changelog
  188. ralphm looking at the full change list of that ticket reveals it was backported to lucid, precise, quantal, raring
  189. Zash has left
  190. Ash has joined
  191. Zash I don't see that update in precise
  192. ralphm -proposed
  193. ralphm ?
  194. Zash Aha
  195. Zash Are they actually really removing it completely?
  196. Zash As opposed to not having it enabled by default.
  197. intosi "No longer ship" seems to suggest they have removed it completely.
  198. intosi ralphm should be able to confirm.
  199. ralphm ralphm@waar:/etc/ssl/certs$ ls | grep -i cacert spi-cacert-2008.pem
  200. intosi http://packages.ubuntu.com/trusty/all/ca-certificates/filelist
  201. intosi It doesn't list /usr/share/ca-certificates/cacert.org anymore.
  202. ralphm right
  203. Tobias has left
  204. Tobias has left
  205. MattJ Fun
  206. Zash organizationName: Software in the Public Interest
  207. Zash :(
  208. Zash has left
  209. Zash has joined
  210. Tobias has left
  211. MattJ where?
  212. Zash Where what?
  213. MattJ > 13:57:29 Zash> organizationName: Software in the Public Interest
  214. Zash Sooooo much lag on the IETF wifi
  215. Zash That was re: ralphm> spi-cacert-2008.pem
  216. simon Seems like Fedora, Redhat and Suse are also not too keen on CACert inclusion
  217. Zash It's likely that it's only in Ubuntu because it's in Debian
  218. intosi Hardly anybody was keen on that, mostly because it didn't pass the audit. Of course, recently the found vulnerability and subsequent lack of revocation of the ca key did not improve that. http://www.reddit.com/r/technology/comments/1qj1tz/http_20_to_be_https_only/cddfmz0?context=1 (fourth para)
  219. Zash I think CAcert.org themselves aborted auditing while waiting for some changes to be made.
  220. simon intosi: great paragraph / nice background.
  221. Zash has left
  222. Tobias has left
  223. Zash has joined
  224. m&m has left
  225. Zash has left
  226. Zash has joined
  227. emcho has left
  228. Zash has left
  229. Zash has joined
  230. Ash has left
  231. emcho has joined
  232. m&m has joined
  233. emcho has left
  234. m&m scribing to http://etherpad.tools.ietf.org:9000/p/notes-ietf-89-kitten?useMonospaceFont=true
  235. Lloyd BTW thanks for everyone who came to XMPPUK on tuesday. Hope everyone had a good time/got something out of the evening.
  236. ralphm Lloyd: even though I wasn't there, thanks for doing that!
  237. m&m yes, thank you!
  238. intosi Indeed. It was a very good meetup, thanks!
  239. Lloyd has left
  240. Lloyd has joined
  241. Kev Lloyd: Yes, thanks. And plenty of pizza :D
  242. Kev Well, golly. They're asking for a CSR. I guess I should work out what to put in it.
  243. Kev dwd: Any idea if they pay any attention to what you put in it, or if they're just going to trample over and I don't need to bother?
  244. Tobias has joined
  245. intosi Most CAs will replace it with the information they have on record anyway, because that's the only info they verified.
  246. intosi It's either that, or requiring you to send proof of identity with each CSR.
  247. Kev https://www.dropbox.com/s/et86sczq4h76r4u/Screenshot%202014-03-06%2015.45.44.png whaaaaaaaaat?
  248. intosi They want to hold your hand installing the signed cert?
  249. Kev I assume it's to deliver it in an appropriate format, but I still found it slightly surprising.
  250. Kev Oh, or that possibly, yes.
  251. simon Kev - which register is that and which register do I need to avoid?
  252. simon Some of those products are ancient!
  253. Kev Comodo, via Namecheap.
  254. Kev But it seems to be to guide you to installation instructions, so it's fine.
  255. dwd Kev, I don't think they used anything but the public key.
  256. Zash And there, prototype s2sin DANE.
  257. simon Zash: excellent. Looking forward to a new weekend project.
  258. Zash But I'm back to it being a race condition :|
  259. m&m has left
  260. m&m has joined
  261. m&m has left
  262. Zash so, https://www.zash.se/dane-s2s-client.html
  263. fippo zash: the "no port" problem sounds familiar....
  264. dwd Right, SRV-like is how (IIRC) dane-esmtp works, isn't it?
  265. m&m has joined
  266. m&m has left
  267. m&m has joined
  268. Lloyd has left
  269. xnyhps has left
  270. Bunneh has joined
  271. Zash -draft dane-smtp
  272. Bunneh Zash: "SMTP security via opportunistic DANE TLS", Viktor Dukhovni, Wesley Hardaker, 2014-02-14, http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-07.txt
  273. Zash That one?
  274. Zash dwd: I spent yesterday searching for anything existing on s2s client auth, found only this thread: http://www.ietf.org/mail-archive/web/dane/current/msg05110.html
  275. MattJ I really disagree with "the stream is not an XML document" viewpoint
  276. Kev It's not, as a whole.
  277. MattJ Yes, it is
  278. MattJ It has an opening tag and an ending tag
  279. Kev It has multiple opening tags, and one ending tag.
  280. MattJ No, it doesn't
  281. MattJ One opening, one closing
  282. MattJ You are confusing it with the other unfinished streams that went before
  283. Kev Throwing away the state each time you restart is not elegant from the XML PoV.
  284. intosi Except that you restart writing out the document without closing it.
  285. Zash dwd: But dane-smtp and dane-srv are meant to be in harmony.
  286. Kev MattJ: No, you're confusing my use of 'stream'.
  287. MattJ So what? Any XML parsing lib lets you throw the parser away and start another
  288. MattJ Kev, then say "connection"
  289. Kev That's...actually very not true :)
  290. MattJ Kev, e.g. ?
  291. m&m has left
  292. Kev The number of libraries I had to go through in Java before I found one that let me work on an incomplete stream without waiting for the end was depressing.
  293. Kev But this is orthogonal to the stream restart stuff.
  294. MattJ That's not quite the same thing
  295. MattJ Such libs are clearly not applicable to XMPP :)
  296. Zash So you need a SAX parser, we knew that already.
  297. Kev That alone is not enough :)
  298. Kev has left
  299. Kev has joined
  300. Kev Although this is more a comment on the sad state of Java XML parsers.
  301. Kev has left
  302. Kev has joined
  303. Tobias has joined
  304. Zash has left
  305. Kev And doomsong.co.uk finally has an A in the observatory. How nice.
  306. Kev (Just so long as no-one looks at the subdomains)
  307. MattJ Let's talk about export ciphers
  308. intosi has left
  309. Kev MattJ: They're disabled.
  310. simon Welcome to the club Kev.
  311. MattJ Kev, on jabber.org?
  312. Kev Oh, no.
  313. Kev Not there :)
  314. MattJ Right
  315. MattJ To continue Tuesday evening's discussion...
  316. MattJ Is the suggestion that jabber.org would be breaking the law to disable them? (seems ridiculous to me)
  317. MattJ or is the argument that people might be using software that only supports them, and we must allow that?
  318. simon I heard Intosi claiming the latter.
  319. MattJ From what Kev has said in the past I assume the latter is the case, so I don't know how legality came up in conversation
  320. MattJ Well, I suppose xnyhps making a US-centric statement :)
  321. simon I can imagine that those old clients using old ciphers are probably unused / installed at one point and sitting in a windows95 taskbar sucking the odd cpu cycle.
  322. simon kill the zombies.
  323. MattJ Indeed, I honestly think that providing people using such software with insecure service is doing nobody any good
  324. simon +1
  325. Kev MattJ: The claim was made that the old export cypher laws were no longer relevant. This isn't true.
  326. MattJ Agreed
  327. Tobias has joined
  328. Kev This isn't related to j.org's choice of suites.
  329. MattJ Ok, fine
  330. MattJ (and good)
  331. simon Did Jabber.org take part in the last test-day?
  332. Kev Yes.
  333. simon How did it work out?
  334. Kev Number of S2S dropped a lot, I think, but I didn't check.
  335. Kev The main complaints were Google-hosted domains.
  336. simon I'm quite encouraged - we started with 2% forced encryption on s2s traffic - that's almost up to 15% now.
  337. Kev ?
  338. simon https://xmpp.net/reports.php#starttls
  339. simon sorry - been a long day. Tried to kill -9 <file> a few moments ago.
  340. Jef has joined
  341. ralphm has left
  342. simon has left
  343. simon has joined
  344. xnyhps MattJ: Now I already made it obvious I don't know much about these laws, but don't they cover only exporting software *itself*?
  345. xnyhps So not offering a service?
  346. MattJ xnyhps, correct
  347. MattJ Also not applicable to open-source software (i.e. OpenSSL, GnuTLS)
  348. MattJ I would presume bundling such software with commercial software may be problematic though
  349. xnyhps (I did try to read the Wassenaar agreements a week or two ago, but couldn't get further than a couple of lines with all the legalese.)
  350. simon Presumably any site offering an HTTPS connection with strong ciphers would be in breech of whatever agreement.
  351. Santiago26 has joined
  352. MattJ Well they are all outdated, and don't really match up with the way software, services and the internet work nowadays
  353. intosi has joined
  354. intosi Kev: well done.
  355. Santiago26 has left
  356. Santiago26 has joined
  357. intosi has left
  358. Santiago26 has left
  359. dwd The cipher export laws in the UK only affect stuff for which the source code is not available (ie, non-open-source), and they're an implementation of EU directives.
  360. dwd The problem isn't so much the EU directive, but the fact they're enforced by a bunch of civil servants who're out of their depth.
  361. xnyhps Well, if the directive still technically forbids the export of >56 bit symmetric and >512 bit asymmetric encryption, then I'd say it is a problem.
  362. MattJ Time to lobby our MPs? :)
  363. xnyhps But jabber.org has ciphers enabled that are even weaker than this laws would allow.
  364. xnyhps *this law
  365. dwd xnyhps, The way it's implemented in the UK is that exported software must have the means to disable "non-export" ciphers, and that those ciphers are off by default. Basically, Isode's licensing keys are largely about implementing this requirement.
  366. MattJ dwd, meaning it's fine to ship the software with a way to turn strong ciphers on?
  367. MattJ (YANAL, I know :) )
  368. dwd The interesting grey area is that it's the use of encryption, and not the implementation thereof, so even using platform crypto is possibly problematic.
  369. dwd MattJ, Right, that's what Isode do.
  370. Kev If anyone cares about this stuff, https://www.gov.uk/export-of-cryptographic-items
  371. Ash has joined
  372. xnyhps Now I'm curious which of the conditions in the Cryptographic Note Isode's stuff doesn't satisfy.
  373. MattJ Which ones do you think it does?
  374. xnyhps Sold without restrictions sounds likely. Not easy to change is somewhat inherent to it being crypto. Designed to be installed by the user without support, I don't know. Providing details on request, why not?
  375. MattJ #1 is arguable, #2... do config files count? I'd say so. #3... my guess is that Isode selling software without support is unlikely and #4 can be complied with by anyone
  376. Santiago26 has joined
  377. Kev MattJ: You can't replace the Isode crypto by changing config files.
  378. xnyhps MattJ: ‘The cryptographic functionality cannot easily be changed by the user’ means that the manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification. That suggests that if they define the config files as the specification, they're fine.
  379. Santiago26 has left
  380. MattJ Fine
  381. dwd xnyhps, "cannot easily be changed by the user" implies config files are not fine.
  382. simon doesn't let his users change config files :)
  383. Kev <!--This is an automatically generated configuration file and must not be manually edited.-->
  384. Kev (From an M-Link config file)
  385. Kev simon: Does that count as not letting users edit it? :)
  386. MattJ :P
  387. dwd In any case, it looks like I wasn't right; open source would be fine, Isode's stuff would need a license, but you could probably manage to ship a simple closed-source XMPP server under the rules too.
  388. dwd has left
  389. xnyhps Well, it probably won't fly to just specify "users can do EVERYTHING with this", but it suggests that you can.
  390. xnyhps has left
  391. intosi has joined
  392. Maranda has joined
  393. Ash has left
  394. Ash has joined
  395. Ash has left
  396. xnyhps has left
  397. Tobias has joined
  398. Tobias has left
  399. Tobias has joined
  400. Ash has joined
  401. intosi has left
  402. Ash has left
  403. Ash has joined
  404. Alex has left
  405. Neustradamus has left
  406. Tobias has left
  407. xnyhps has left
  408. Tobias has joined
  409. Ash has left
  410. martin.hewitt@surevine.com has left
  411. Ash has left
  412. Lloyd has joined
  413. intosi has joined
  414. intosi has left
  415. dwd has joined
  416. xnyhps has left
  417. Tobias has joined
  418. Lloyd has left
  419. Ash has joined
  420. dezant has left