dwd: The text on https://www.namecheap.com/security/ssl-certificates/comodo/essentialssl.aspx, which is the £15ish one, seems to suggest it's single-domain-only (i.e. no MUC child). Sound about right?
dwd
Ah, yes. My two are single domain. But dave.cridland.net was covered, unlike StartCom.
dwd
FWIW, I think mine are the top one on that page.
dwd
I have one for cridland.im and one for dave.cridland.net
Kev
Ah, the £6/year ones?
dwd
Right. I think. :-) It was a while ago.
Kev
It's entirely unclear to me what the difference between PositiveSSL and EssentialSSL is :)
dwd
Ah, that one has unlimited reissues. Let me dig through and see what I have.
Kev
Murky.
dwd
Ah, so I have EssentialSSL certificates. I have a feeling they were on offer when I bought them.
dwd
So these have a "site seal", which I don't bother with, "mobile browser support", which I don't think means much, and unlimited reissues (ie, for compromise or whatever).
Kev
Getting two or three EssentialSSL certs seems a tad expensive.
Kev
£43/year or whatever. Almost worth going with a filthy wildcard at that price.
That's a regular one, not one I requested for XMPP.
dwdnotes intosi has now learnt all the right terms by osmosis, and probably knows what the two-attribute RDN in the subject is called by now.
intosi
Those have othername fields in the SAN
dwd
intosi, Right, Sodium will tell you what those are, mind. There's a tool I miss having around.
Kev
dwd: I think if you'd seen the 16.3 MLC (which doesn't exist yet, but we know what's coming), you'd miss having that around as well :)
Kev
16.2 MLC is really rather good, mind. What was the last version you saw?
intosi
Kev, dwd: :D
dwd
Kev, A R15.X, which was certainly getting there.
Kev
Ah. Worlds apart :)
simon
What was the deal with special XMPP certificates a few years ago? What was different about them?
Kev
simon: They had the right SANs in.
simon
ah
dwd
simon, As I recall, they listed SANs, but had some funnies around the sRVName SANs they used.
Kev
dwd: I think the XSF certs were correct, IIRC.
Kev
Back when we had an ICA.
simon
Why would a normal alt-name not work?
Kev
simon: It's not 'not work', it's just that certs should be specialised for the service they're protecting.
dwd
simon, It would, but older servers were fairly restrictive in what SANs they used.
dwd
simon, ALso, there's no such thing as a "normal alt-name". :-P
dwd
simon, The Subject is a DN, originally meant to be your entry in the global X.500 directory. The Subject could have alternative names (added in v3), which are all typed. dNSName is the hostname type, and otherName is an extendable type where both sRVName and xmppName live.
intosi
Which openssl conveniently refuses to display ;)
simon
dwd: you really need to start a CA
intosi
simon: we somewhat jokingly discussed this a feww years ago, but I think the rough consensus was that running it would be entering a world of pain.
Kev
In practical terms, yes. Although in technical terms, Sodium CA makes all this rather easy.
dwd
simon, I've also contemplated a CA based around leap-of-faith verification before.
Kev
I do have my own CA I use 'internally'.
dwd
Kev, Technically, yes; I think the objections were more political ones.
Kev
Right.
intosi
Running your own CA isn't the world-of-pain part. Getting your CA accepted as a trust anchor in major browsers is.
Tobias
the pain of getting it in the major OSes and browsers
Kev
If it was a CA for XMPP, you don't need to do that.
Tobias
you'd need to provide guides for all XMPP servers how to add your CA to the trusted ones
dwd
Kev, That's true, in some respects. Though you need to get it in all the XMPP implementations.
emchohas left
Tobiasstill failed to add CAcert as trusted on my bsd system....but i haven't spend more than half an hour on that yet
It doesn't list /usr/share/ca-certificates/cacert.org anymore.
ralphm
right
Tobiashas left
Tobiashas left
MattJ
Fun
Zash
organizationName: Software in the Public Interest
Zash
:(
Zashhas left
Zashhas joined
Tobiashas left
MattJ
where?
Zash
Where what?
MattJ
> 13:57:29 Zash> organizationName: Software in the Public Interest
Zash
Sooooo much lag on the IETF wifi
Zash
That was re: ralphm> spi-cacert-2008.pem
simon
Seems like Fedora, Redhat and Suse are also not too keen on CACert inclusion
Zash
It's likely that it's only in Ubuntu because it's in Debian
intosi
Hardly anybody was keen on that, mostly because it didn't pass the audit. Of course, recently the found vulnerability and subsequent lack of revocation of the ca key did not improve that. http://www.reddit.com/r/technology/comments/1qj1tz/http_20_to_be_https_only/cddfmz0?context=1 (fourth para)
Zash
I think CAcert.org themselves aborted auditing while waiting for some changes to be made.
simon
intosi: great paragraph / nice background.
Zashhas left
Tobiashas left
Zashhas joined
m&mhas left
Zashhas left
Zashhas joined
emchohas left
Zashhas left
Zashhas joined
Ashhas left
emchohas joined
m&mhas joined
emchohas left
m&m
scribing to http://etherpad.tools.ietf.org:9000/p/notes-ietf-89-kitten?useMonospaceFont=true
Lloyd
BTW thanks for everyone who came to XMPPUK on tuesday. Hope everyone had a good time/got something out of the evening.
ralphm
Lloyd: even though I wasn't there, thanks for doing that!
m&m
yes, thank you!
intosi
Indeed. It was a very good meetup, thanks!
Lloydhas left
Lloydhas joined
Kev
Lloyd: Yes, thanks. And plenty of pizza :D
Kev
Well, golly. They're asking for a CSR. I guess I should work out what to put in it.
Kev
dwd: Any idea if they pay any attention to what you put in it, or if they're just going to trample over and I don't need to bother?
Tobiashas joined
intosi
Most CAs will replace it with the information they have on record anyway, because that's the only info they verified.
intosi
It's either that, or requiring you to send proof of identity with each CSR.
They want to hold your hand installing the signed cert?
Kev
I assume it's to deliver it in an appropriate format, but I still found it slightly surprising.
Kev
Oh, or that possibly, yes.
simon
Kev - which register is that and which register do I need to avoid?
simon
Some of those products are ancient!
Kev
Comodo, via Namecheap.
Kev
But it seems to be to guide you to installation instructions, so it's fine.
dwd
Kev, I don't think they used anything but the public key.
Zash
And there, prototype s2sin DANE.
simon
Zash: excellent. Looking forward to a new weekend project.
Zash
But I'm back to it being a race condition :|
m&mhas left
m&mhas joined
m&mhas left
Zash
so, https://www.zash.se/dane-s2s-client.html
fippo
zash: the "no port" problem sounds familiar....
dwd
Right, SRV-like is how (IIRC) dane-esmtp works, isn't it?
m&mhas joined
m&mhas left
m&mhas joined
Lloydhas left
xnyhpshas left
Bunnehhas joined
Zash
-draft dane-smtp
Bunneh
Zash: "SMTP security via opportunistic DANE TLS", Viktor Dukhovni, Wesley Hardaker, 2014-02-14,
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-07.txt
Zash
That one?
Zash
dwd: I spent yesterday searching for anything existing on s2s client auth, found only this thread: http://www.ietf.org/mail-archive/web/dane/current/msg05110.html
MattJ
I really disagree with "the stream is not an XML document" viewpoint
Kev
It's not, as a whole.
MattJ
Yes, it is
MattJ
It has an opening tag and an ending tag
Kev
It has multiple opening tags, and one ending tag.
MattJ
No, it doesn't
MattJ
One opening, one closing
MattJ
You are confusing it with the other unfinished streams that went before
Kev
Throwing away the state each time you restart is not elegant from the XML PoV.
intosi
Except that you restart writing out the document without closing it.
Zash
dwd: But dane-smtp and dane-srv are meant to be in harmony.
Kev
MattJ: No, you're confusing my use of 'stream'.
MattJ
So what? Any XML parsing lib lets you throw the parser away and start another
MattJ
Kev, then say "connection"
Kev
That's...actually very not true :)
MattJ
Kev, e.g. ?
m&mhas left
Kev
The number of libraries I had to go through in Java before I found one that let me work on an incomplete stream without waiting for the end was depressing.
Kev
But this is orthogonal to the stream restart stuff.
MattJ
That's not quite the same thing
MattJ
Such libs are clearly not applicable to XMPP :)
Zash
So you need a SAX parser, we knew that already.
Kev
That alone is not enough :)
Kevhas left
Kevhas joined
Kev
Although this is more a comment on the sad state of Java XML parsers.
Kevhas left
Kevhas joined
Tobiashas joined
Zashhas left
Kev
And doomsong.co.uk finally has an A in the observatory. How nice.
Kev
(Just so long as no-one looks at the subdomains)
MattJ
Let's talk about export ciphers
intosihas left
Kev
MattJ: They're disabled.
simon
Welcome to the club Kev.
MattJ
Kev, on jabber.org?
Kev
Oh, no.
Kev
Not there :)
MattJ
Right
MattJ
To continue Tuesday evening's discussion...
MattJ
Is the suggestion that jabber.org would be breaking the law to disable them? (seems ridiculous to me)
MattJ
or is the argument that people might be using software that only supports them, and we must allow that?
simon
I heard Intosi claiming the latter.
MattJ
From what Kev has said in the past I assume the latter is the case, so I don't know how legality came up in conversation
MattJ
Well, I suppose xnyhps making a US-centric statement :)
simon
I can imagine that those old clients using old ciphers are probably unused / installed at one point and sitting in a windows95 taskbar sucking the odd cpu cycle.
simon
kill the zombies.
MattJ
Indeed, I honestly think that providing people using such software with insecure service is doing nobody any good
simon
+1
Kev
MattJ: The claim was made that the old export cypher laws were no longer relevant. This isn't true.
MattJ
Agreed
Tobiashas joined
Kev
This isn't related to j.org's choice of suites.
MattJ
Ok, fine
MattJ
(and good)
simon
Did Jabber.org take part in the last test-day?
Kev
Yes.
simon
How did it work out?
Kev
Number of S2S dropped a lot, I think, but I didn't check.
Kev
The main complaints were Google-hosted domains.
simon
I'm quite encouraged - we started with 2% forced encryption on s2s traffic - that's almost up to 15% now.
Kev
?
simon
https://xmpp.net/reports.php#starttls
simon
sorry - been a long day. Tried to kill -9 <file> a few moments ago.
Jefhas joined
ralphmhas left
simonhas left
simonhas joined
xnyhps
MattJ: Now I already made it obvious I don't know much about these laws, but don't they cover only exporting software *itself*?
xnyhps
So not offering a service?
MattJ
xnyhps, correct
MattJ
Also not applicable to open-source software (i.e. OpenSSL, GnuTLS)
MattJ
I would presume bundling such software with commercial software may be problematic though
xnyhps
(I did try to read the Wassenaar agreements a week or two ago, but couldn't get further than a couple of lines with all the legalese.)
simon
Presumably any site offering an HTTPS connection with strong ciphers would be in breech of whatever agreement.
Santiago26has joined
MattJ
Well they are all outdated, and don't really match up with the way software, services and the internet work nowadays
intosihas joined
intosi
Kev: well done.
Santiago26has left
Santiago26has joined
intosihas left
Santiago26has left
dwd
The cipher export laws in the UK only affect stuff for which the source code is not available (ie, non-open-source), and they're an implementation of EU directives.
dwd
The problem isn't so much the EU directive, but the fact they're enforced by a bunch of civil servants who're out of their depth.
xnyhps
Well, if the directive still technically forbids the export of >56 bit symmetric and >512 bit asymmetric encryption, then I'd say it is a problem.
MattJ
Time to lobby our MPs? :)
xnyhps
But jabber.org has ciphers enabled that are even weaker than this laws would allow.
xnyhps
*this law
dwd
xnyhps, The way it's implemented in the UK is that exported software must have the means to disable "non-export" ciphers, and that those ciphers are off by default. Basically, Isode's licensing keys are largely about implementing this requirement.
MattJ
dwd, meaning it's fine to ship the software with a way to turn strong ciphers on?
MattJ
(YANAL, I know :) )
dwd
The interesting grey area is that it's the use of encryption, and not the implementation thereof, so even using platform crypto is possibly problematic.
dwd
MattJ, Right, that's what Isode do.
Kev
If anyone cares about this stuff, https://www.gov.uk/export-of-cryptographic-items
Ashhas joined
xnyhps
Now I'm curious which of the conditions in the Cryptographic Note Isode's stuff doesn't satisfy.
MattJ
Which ones do you think it does?
xnyhps
Sold without restrictions sounds likely. Not easy to change is somewhat inherent to it being crypto. Designed to be installed by the user without support, I don't know. Providing details on request, why not?
MattJ
#1 is arguable, #2... do config files count? I'd say so. #3... my guess is that Isode selling software without support is unlikely and #4 can be complied with by anyone
Santiago26has joined
Kev
MattJ: You can't replace the Isode crypto by changing config files.
xnyhps
MattJ: ‘The cryptographic functionality cannot easily be changed by the user’ means that the manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification.
That suggests that if they define the config files as the specification, they're fine.
Santiago26has left
MattJ
Fine
dwd
xnyhps, "cannot easily be changed by the user" implies config files are not fine.
simondoesn't let his users change config files :)
Kev
<!--This is an automatically generated configuration file and must not be
manually edited.-->
Kev
(From an M-Link config file)
Kev
simon: Does that count as not letting users edit it? :)
MattJ
:P
dwd
In any case, it looks like I wasn't right; open source would be fine, Isode's stuff would need a license, but you could probably manage to ship a simple closed-source XMPP server under the rules too.
dwdhas left
xnyhps
Well, it probably won't fly to just specify "users can do EVERYTHING with this", but it suggests that you can.