Kevdwd: The text on https://www.namecheap.com/security/ssl-certificates/comodo/essentialssl.aspx, which is the £15ish one, seems to suggest it's single-domain-only (i.e. no MUC child). Sound about right?
dwdAh, yes. My two are single domain. But dave.cridland.net was covered, unlike StartCom.
dwdFWIW, I think mine are the top one on that page.
dwdI have one for cridland.im and one for dave.cridland.net
KevAh, the £6/year ones?
dwdRight. I think. :-) It was a while ago.
KevIt's entirely unclear to me what the difference between PositiveSSL and EssentialSSL is :)
dwdAh, that one has unlimited reissues. Let me dig through and see what I have.
dwdAh, so I have EssentialSSL certificates. I have a feeling they were on offer when I bought them.
dwdSo these have a "site seal", which I don't bother with, "mobile browser support", which I don't think means much, and unlimited reissues (ie, for compromise or whatever).
KevGetting two or three EssentialSSL certs seems a tad expensive.
Kev£43/year or whatever. Almost worth going with a filthy wildcard at that price.
Tobiasstartcoms wildcards are $60 a year it seems✎
Tobiasstartcoms wildcards are $60 for two years it seems ✏
dwdHmmm. We could always see if we could persuade a CA or two to give XMPP folk a discount because we're so lovely.
KevTemptation to just get a couple of these £5/year certs is fairly strong. Although I don't see anything about the reissues on the pages.
dwdRight, I think on compromsie you pay again.
dwdBut they have a "live chat" thing which has people who're knowledgeable about these things.
dwdBy which I mean they'll be able to tell you about revokation etc, not that they can tell you much of note about odd X.509 features.
dwdKev, Benefits of working for Isode - discover you now know more about X.509 than most CA employees purely by osmosis.
simonyou can get free wildcard certs for opensouce projects from Globalsign.
Tobiasand startcom charges for all revocations, except for their EV certs http://www.startssl.com/?app=25#72
m&mdwd: you almost say that like it's a good thing
intosiThat's a regular one, not one I requested for XMPP.
dwdnotes intosi has now learnt all the right terms by osmosis, and probably knows what the two-attribute RDN in the subject is called by now.
intosiThose have othername fields in the SAN
dwdintosi, Right, Sodium will tell you what those are, mind. There's a tool I miss having around.
Kevdwd: I think if you'd seen the 16.3 MLC (which doesn't exist yet, but we know what's coming), you'd miss having that around as well :)
Kev16.2 MLC is really rather good, mind. What was the last version you saw?
intosiKev, dwd: :D
dwdKev, A R15.X, which was certainly getting there.
KevAh. Worlds apart :)
simonWhat was the deal with special XMPP certificates a few years ago? What was different about them?
Kevsimon: They had the right SANs in.
dwdsimon, As I recall, they listed SANs, but had some funnies around the sRVName SANs they used.
Kevdwd: I think the XSF certs were correct, IIRC.
KevBack when we had an ICA.
simonWhy would a normal alt-name not work?
Kevsimon: It's not 'not work', it's just that certs should be specialised for the service they're protecting.
dwdsimon, It would, but older servers were fairly restrictive in what SANs they used.
dwdsimon, ALso, there's no such thing as a "normal alt-name". :-P
dwdsimon, The Subject is a DN, originally meant to be your entry in the global X.500 directory. The Subject could have alternative names (added in v3), which are all typed. dNSName is the hostname type, and otherName is an extendable type where both sRVName and xmppName live.
intosiWhich openssl conveniently refuses to display ;)
simondwd: you really need to start a CA
intosisimon: we somewhat jokingly discussed this a feww years ago, but I think the rough consensus was that running it would be entering a world of pain.
KevIn practical terms, yes. Although in technical terms, Sodium CA makes all this rather easy.
dwdsimon, I've also contemplated a CA based around leap-of-faith verification before.
KevI do have my own CA I use 'internally'.
dwdKev, Technically, yes; I think the objections were more political ones.
intosiRunning your own CA isn't the world-of-pain part. Getting your CA accepted as a trust anchor in major browsers is.
Tobiasthe pain of getting it in the major OSes and browsers
KevIf it was a CA for XMPP, you don't need to do that.
Tobiasyou'd need to provide guides for all XMPP servers how to add your CA to the trusted ones
dwdKev, That's true, in some respects. Though you need to get it in all the XMPP implementations.
Tobiasstill failed to add CAcert as trusted on my bsd system....but i haven't spend more than half an hour on that yet
intosiIt doesn't list /usr/share/ca-certificates/cacert.org anymore.
ZashorganizationName: Software in the Public Interest
MattJ> 13:57:29 Zash> organizationName: Software in the Public Interest
ZashSooooo much lag on the IETF wifi
ZashThat was re: ralphm> spi-cacert-2008.pem
simonSeems like Fedora, Redhat and Suse are also not too keen on CACert inclusion
ZashIt's likely that it's only in Ubuntu because it's in Debian
intosiHardly anybody was keen on that, mostly because it didn't pass the audit. Of course, recently the found vulnerability and subsequent lack of revocation of the ca key did not improve that. http://www.reddit.com/r/technology/comments/1qj1tz/http_20_to_be_https_only/cddfmz0?context=1 (fourth para)
ZashI think CAcert.org themselves aborted auditing while waiting for some changes to be made.
simonintosi: great paragraph / nice background.
m&mscribing to http://etherpad.tools.ietf.org:9000/p/notes-ietf-89-kitten?useMonospaceFont=true
LloydBTW thanks for everyone who came to XMPPUK on tuesday. Hope everyone had a good time/got something out of the evening.
ralphmLloyd: even though I wasn't there, thanks for doing that!
m&myes, thank you!
intosiIndeed. It was a very good meetup, thanks!
KevLloyd: Yes, thanks. And plenty of pizza :D
KevWell, golly. They're asking for a CSR. I guess I should work out what to put in it.
Kevdwd: Any idea if they pay any attention to what you put in it, or if they're just going to trample over and I don't need to bother?
intosiMost CAs will replace it with the information they have on record anyway, because that's the only info they verified.
intosiIt's either that, or requiring you to send proof of identity with each CSR.
intosiThey want to hold your hand installing the signed cert?
KevI assume it's to deliver it in an appropriate format, but I still found it slightly surprising.
KevOh, or that possibly, yes.
simonKev - which register is that and which register do I need to avoid?
simonSome of those products are ancient!
KevComodo, via Namecheap.
KevBut it seems to be to guide you to installation instructions, so it's fine.
dwdKev, I don't think they used anything but the public key.
ZashAnd there, prototype s2sin DANE.
simonZash: excellent. Looking forward to a new weekend project.
ZashBut I'm back to it being a race condition :|
fippozash: the "no port" problem sounds familiar....
dwdRight, SRV-like is how (IIRC) dane-esmtp works, isn't it?
BunnehZash: "SMTP security via opportunistic DANE TLS", Viktor Dukhovni, Wesley Hardaker, 2014-02-14,
Zashdwd: I spent yesterday searching for anything existing on s2s client auth, found only this thread: http://www.ietf.org/mail-archive/web/dane/current/msg05110.html
MattJI really disagree with "the stream is not an XML document" viewpoint
KevIt's not, as a whole.
MattJYes, it is
MattJIt has an opening tag and an ending tag
KevIt has multiple opening tags, and one ending tag.
MattJNo, it doesn't
MattJOne opening, one closing
MattJYou are confusing it with the other unfinished streams that went before
KevThrowing away the state each time you restart is not elegant from the XML PoV.
intosiExcept that you restart writing out the document without closing it.
Zashdwd: But dane-smtp and dane-srv are meant to be in harmony.
KevMattJ: No, you're confusing my use of 'stream'.
MattJSo what? Any XML parsing lib lets you throw the parser away and start another
MattJKev, then say "connection"
KevThat's...actually very not true :)
MattJKev, e.g. ?
KevThe number of libraries I had to go through in Java before I found one that let me work on an incomplete stream without waiting for the end was depressing.
KevBut this is orthogonal to the stream restart stuff.
MattJThat's not quite the same thing
MattJSuch libs are clearly not applicable to XMPP :)
ZashSo you need a SAX parser, we knew that already.
KevThat alone is not enough :)
KevAlthough this is more a comment on the sad state of Java XML parsers.
KevAnd doomsong.co.uk finally has an A in the observatory. How nice.
Kev(Just so long as no-one looks at the subdomains)
MattJLet's talk about export ciphers
KevMattJ: They're disabled.
simonWelcome to the club Kev.
MattJKev, on jabber.org?
KevNot there :)
MattJTo continue Tuesday evening's discussion...
MattJIs the suggestion that jabber.org would be breaking the law to disable them? (seems ridiculous to me)
MattJor is the argument that people might be using software that only supports them, and we must allow that?
simonI heard Intosi claiming the latter.
MattJFrom what Kev has said in the past I assume the latter is the case, so I don't know how legality came up in conversation
MattJWell, I suppose xnyhps making a US-centric statement :)
simonI can imagine that those old clients using old ciphers are probably unused / installed at one point and sitting in a windows95 taskbar sucking the odd cpu cycle.
simonkill the zombies.
MattJIndeed, I honestly think that providing people using such software with insecure service is doing nobody any good
KevMattJ: The claim was made that the old export cypher laws were no longer relevant. This isn't true.
KevThis isn't related to j.org's choice of suites.
simonDid Jabber.org take part in the last test-day?
simonHow did it work out?
KevNumber of S2S dropped a lot, I think, but I didn't check.
KevThe main complaints were Google-hosted domains.
simonI'm quite encouraged - we started with 2% forced encryption on s2s traffic - that's almost up to 15% now.
simonsorry - been a long day. Tried to kill -9 <file> a few moments ago.
xnyhpsMattJ: Now I already made it obvious I don't know much about these laws, but don't they cover only exporting software *itself*?
xnyhpsSo not offering a service?
MattJAlso not applicable to open-source software (i.e. OpenSSL, GnuTLS)
MattJI would presume bundling such software with commercial software may be problematic though
xnyhps(I did try to read the Wassenaar agreements a week or two ago, but couldn't get further than a couple of lines with all the legalese.)
simonPresumably any site offering an HTTPS connection with strong ciphers would be in breech of whatever agreement.
MattJWell they are all outdated, and don't really match up with the way software, services and the internet work nowadays
intosiKev: well done.
dwdThe cipher export laws in the UK only affect stuff for which the source code is not available (ie, non-open-source), and they're an implementation of EU directives.
dwdThe problem isn't so much the EU directive, but the fact they're enforced by a bunch of civil servants who're out of their depth.
xnyhpsWell, if the directive still technically forbids the export of >56 bit symmetric and >512 bit asymmetric encryption, then I'd say it is a problem.
MattJTime to lobby our MPs? :)
xnyhpsBut jabber.org has ciphers enabled that are even weaker than this laws would allow.
dwdxnyhps, The way it's implemented in the UK is that exported software must have the means to disable "non-export" ciphers, and that those ciphers are off by default. Basically, Isode's licensing keys are largely about implementing this requirement.
MattJdwd, meaning it's fine to ship the software with a way to turn strong ciphers on?
MattJ(YANAL, I know :) )
dwdThe interesting grey area is that it's the use of encryption, and not the implementation thereof, so even using platform crypto is possibly problematic.
dwdMattJ, Right, that's what Isode do.
KevIf anyone cares about this stuff, https://www.gov.uk/export-of-cryptographic-items
xnyhpsNow I'm curious which of the conditions in the Cryptographic Note Isode's stuff doesn't satisfy.
MattJWhich ones do you think it does?
xnyhpsSold without restrictions sounds likely. Not easy to change is somewhat inherent to it being crypto. Designed to be installed by the user without support, I don't know. Providing details on request, why not?
MattJ#1 is arguable, #2... do config files count? I'd say so. #3... my guess is that Isode selling software without support is unlikely and #4 can be complied with by anyone
KevMattJ: You can't replace the Isode crypto by changing config files.
xnyhpsMattJ: ‘The cryptographic functionality cannot easily be changed by the user’ means that the manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification.
That suggests that if they define the config files as the specification, they're fine.
dwdxnyhps, "cannot easily be changed by the user" implies config files are not fine.
simondoesn't let his users change config files :)
Kev<!--This is an automatically generated configuration file and must not be
Kev(From an M-Link config file)
Kevsimon: Does that count as not letting users edit it? :)
dwdIn any case, it looks like I wasn't right; open source would be fine, Isode's stuff would need a license, but you could probably manage to ship a simple closed-source XMPP server under the rules too.
xnyhpsWell, it probably won't fly to just specify "users can do EVERYTHING with this", but it suggests that you can.