XSF Discussion - 2014-03-17

  1. Zash has left
  2. Jef has left
  3. stpeter has left
  4. Leonidas I has joined
  5. Leonidas I has left
  6. Simon has joined
  7. Alex has joined
  8. emcho has joined
  9. Leonidas I has joined
  10. Simon has left
  11. simon has joined
  12. simon has left
  13. simon has joined
  14. Leonidas I has left
  15. Leonidas I has joined
  16. Leonidas has joined
  17. Leonidas has left
  18. Leonidas has joined
  19. Alex has left
  20. Tobias has joined
  21. Leonidas has left
  22. Leonidas has joined
  23. Leonidas has left
  24. Leonidas has joined
  25. Leonidas has left
  26. Leonidas has joined
  27. emcho has left
  28. emcho has joined
  29. winfried has joined
  30. Laura has joined
  31. Leonidas has left
  32. Leonidas has joined
  33. Lloyd has joined
  34. Laura has left
  35. Laura has joined
  36. Ash has joined
  37. Laura has left
  38. Laura has joined
  39. martin.hewitt@surevine.com has joined
  40. Zash has joined
  41. Leonidas has left
  42. ralphm has left
  43. intosi has left
  44. intosi has joined
  45. intosi has left
  46. intosi has joined
  47. Ge0rG dwd: ping. are you still overloaded with work?
  48. Laura has left
  49. Laura has joined
  50. Laura has left
  51. Laura has joined
  52. emcho has left
  53. emcho has joined
  54. Laura has left
  55. Laura has joined
  56. Santiago26 has joined
  57. Santiago26 has left
  58. Santiago26 has joined
  59. Santiago26 has left
  60. Santiago26 has joined
  61. Santiago26 has left
  62. Santiago26 has joined
  63. Santiago26 has left
  64. m&m has joined
  65. simon Zash has DANE working for Prosody now. It looks like Tigase has something on the horizon: https://projects.tigase.org/issues/1626. Anyone know about Ejabberd or MongooseIM or Openfire?
  66. Zash Need to write a proper DANE+XMPP draft
  67. simon Zash: Do you have some setup instructions lurking anywhere?
  68. Zash simon: For the Prosody DANE plugin, DNS setup or bot?
  69. Zash both*
  70. m&m Zash: would be acceptable to put the XMPP-specific parts of DANE into draft-ietf-xmpp-dna, or does it really require a standalone draft?
  71. simon The plugin looks pretty straight forward. But for the DNS setup. All the guides I've read are quite complex and assume a massive rollout... Well it would be nice to have a simple setup guide. Does such a thing exist?
  72. Zash m&m: Would probably be fine to have it in DNA-DANE
  73. m&m Zash: patches welcome (-:
  74. Zash Maybe, once I recover from the meeting I had this entire weekend.
  75. m&m ouch
  76. m&m working on that is third on my TODO
  77. fippo DNA-DANE-POSH maybe
  78. fippo we still need to define what DNA is actually ;-)
  79. m&m http://dictionary.reference.com/browse/DNA
  80. Zash My code is currently diverging from the DANE-SRV stuff
  81. simon Zash: how does it diverge?
  82. Zash It looks up _xmpp-server.example.com IN TLSA instead of _$port._tcp.your-srv-target.example.com
  83. m&m I doubt that TLSA for _xmpp-server.example.com would get published
  84. Zash Hm?
  85. simon what's your thinking on using xmpp-server instead of _$port._tcp.your-srv-target.example.com?
  86. Zash simon: https://www.zash.se/dane-s2s-client.html
  87. simon I love it when someone can point to a webpage to answer questions!
  88. m&m the problem here is that it assumes a level of micro-coordination between the owning domain and the hosting provider that is only really possible for stand-alone servers
  89. Zash Basically, it's easier, especially for validating incoming connections.
  90. Zash m&m: CNAME :P
  91. m&m /-:
  92. m&m \-:
  93. m&m requiring CNAME to deploy seems like a Really Bad Idea™.
  94. m&m and again requires the owning domain and hosting provider to be in sync on DNS updates
  95. simon It's bad enough getting people setting up SRV records... (SRV what?)
  96. ralphm also, is this format for TLSA even valid?
  97. m&m ralphm: it's not prohibited, but it's not documented anywhere
  98. ralphm simon: strongly disagree. I wish SRV was used more. Like in HTTP.
  99. m&m RFC 6698 documents using _$port._tcp.hosting.example.net
  100. Zash ralphm: The qname has nothing to do with the TLSA format, that's just an example convention.
  101. m&m ralphm: wishing something were so and reality are often in conflict (-:
  102. simon Ralphm: I agree- wish they were used more too. But I have to explain why they are awesome every single bloody time.
  103. m&m and how 5222 and 5269 are not "proprietary ports"
  104. ralphm simon: write a web page to point to.
  105. Zash m&m: Incoming s2s connection, I wanna validate the client cert without doing over 9000 lookups.
  106. m&m ralphm: at that point, I might as well use .well-known and host metadata d-:
  107. Zash And SRV records might not even point to servers doing outgoing connections.
  108. ralphm m&m: I mean a web page explaining SRV
  109. m&m Zash: I understand your desire, but I think you're going to have to suck it up and deal with the extra lookups
  110. intosi You're going to do a million lookups anyway, because of DNSSEC.
  111. ralphm +1 sucking it up
  112. intosi m&m: +1
  113. Zash intosi: The dns library handles that for me.
  114. m&m Zash: it's not a ton of lookups, but n*2 (n == count of SRV RRs)
  115. m&m well, 3*n if you do both A and AAAA and TLSA
  116. simon One million lookups http://img2.wikia.nocookie.net/__cb20090506185112/uncyclopedia/images/f/fa/Dr_evil_one_million_dollars.jpg
  117. intosi And you probably will want to look up / have looked up the SRV records for the domain in question.
  118. m&m but really, anything that relies on the source domain holding information on the keying material severely constrains hosting deployments
  119. Zash intosi: Not for incoming connections with bidi
  120. ralphm I don't want to promote any non-standard use of existing DNS RRs. There are a few to choose from for pointing to things, all with their own uses. TXT, CNAME, SRV, TLSA, PTR. Please, just use them appropriately.
  121. Leonidas has joined
  122. Leonidas has left
  123. Leonidas has joined
  124. ralphm I remember a recent discussion with simon on this for BC.
  125. simon Go PTR!
  126. Zash I remember a recent discussion with DANE people at IETF that this made more sense than the _port way.
  127. m&m if it wasn't Viktor Dukonvni or Wes Hardraker, then it probably wasn't with people actually deploying things (-:
  128. Zash where's that email
  129. Zash http://www.ietf.org/mail-archive/web/xmpp/current/msg03231.html
  130. simon m&m: that's one of the most pleasant to read RFCs. Nice job btw.
  131. m&m Zash: /sigh … this is after spending about 2 minutes trying explain XMPP S2S to someone unfamiliar with XMPP
  132. ralphm woooosh
  133. m&m for actual XMPP clients, this might be ok, although I still doubt the actual deployability of true client certs
  134. m&m for servers, I think you'll have to do the SRV and TLSA lookups, or you could be getting false negatives
  135. m&m particularly for hosting providers that have separate certs for each individual end-point
  136. m&m simon: we try (-:
  137. Zash false negatives?
  138. m&m for instance, let's say hobbiton.example is hosted at a large provider with 6 s2s end-points(im1.middle-earth.example, im2.middle-earth.example, im3.middle-earth.example, im4.middle-earth.example, im5.middle-earth.example, im6.middle-earth.example)
  139. m&m you get an incoming connection from one of these, and you do a IN TLSA _xmpp-server.hobbiton.example
  140. Zash I get 6 records back, find at least one matching and then I'm happy.
  141. m&m if that resulted in 6 different TLSA RRs, then you'll probably be fine unless im3.middle-eath.example had to rotate keys
  142. m&m but if you relied on your CNAME, well things get a lot messier
  143. Zash Because?
  144. m&m if you did the SRV then TLSA lookups, you'd get a whole lot closer to reality
  145. m&m CNAME to multiple records are messy
  146. Zash Is it?
  147. m&m that's what I've been told at least (-:
  148. Neustradamus has left
  149. m&m plus, you're requiring the owning domain and possibly hosting provider to make sure extra records are in sync, which increases the likelihood of failure
  150. m&m doing the same SRV + TLSA dance for incoming connections as outgoing minimizes the number of records operators have to publish (reducing the bugs)
  151. ralphm also, you can't point to CNAMEs with SRV
  152. m&m ralphm: you can have CNAME _xmpp-server._tcp.example.com
  153. ralphm I'm sure that goes for other record types, too
  154. ralphm cries
  155. Zash ralphm: Not relevant.
  156. m&m ralphm: it also turns out the vast majority of resolvers don't really care where the CNAME/DNAME records are in the chain )-:
  157. ralphm CNAMEs only exist because there wasn't anything better
  158. m&m the other thing with doing the SRV + TLSA dance on incoming is that you'll almost always have cached records for the outgoing (or almost always have cached on your outgoing before you got the incoming)
  159. simon Ralphm: kinda like MX too?
  160. ralphm simon: well, yeah, MX is just e-mail specific SRV
  161. stpeter has joined
  162. m&m ralphm: kind of (-: It turns out to be more complicated than that, mixing MSA (Mail Submission Agents) and MTA (Mail Transfer Agents)
  163. simon I'm still watching this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=14328
  164. simon one can have hope...
  165. ralphm m&m: arguably, e-mail now has different services for submission and transfer
  166. ralphm the fact that people still submit on 25 is, well, backwards
  167. ralphm (so _smtp vs. _submission)
  168. Neustradamus has left
  169. simon has left
  170. Leonidas has left
  171. fippo m&m: almost always, unless you're the receiving server. but then you need to outgoing dance soon anyway ;-)
  172. m&m fippo: that's my point (-:
  173. m&m goes back to cooking jose
  174. Zash I thougt people agreed with this already..
  175. Zash has left
  176. Tobias has left
  177. Zash has joined
  178. winfried has left
  179. Leonidas has joined
  180. Lloyd has left
  181. Neustradamus has left
  182. Neustradamus has joined
  183. Tobias has joined
  184. winfried has joined
  185. Santiago26 has joined
  186. martin.hewitt@surevine.com has left
  187. Leonidas has left
  188. Santiago26 has left
  189. Santiago26 has left
  190. martin.hewitt@surevine.com has joined
  191. Santiago26 has joined
  192. Zash has left
  193. Zash has joined
  194. martin.hewitt@surevine.com has left
  195. martin.hewitt@surevine.com has joined
  196. Simon has joined
  197. Santiago26 has left
  198. Santiago26 has left
  199. Simon Quick question before send out an email to the list about the <potential> DNSSEC grant: Who is it from?
  200. Santiago26 has joined
  201. stpeter um?
  202. stpeter the Internet Society are the folks we'd ask to fund this
  203. Simon Thanks. That's what I needed.
  204. Simon Doing my board task from last week - email about how we get most bang-for-buck from it.
  205. martin.hewitt@surevine.com has left
  206. Laura has left
  207. dwd has left
  208. stpeter Simon: thanks!
  209. Santiago26 has left
  210. Santiago26 has left
  211. Santiago26 has joined
  212. Santiago26 has left
  213. Simon has left
  214. Simon has joined
  215. Santiago26 has left
  216. martin.hewitt@surevine.com has joined
  217. Leonidas has joined
  218. martin.hewitt@surevine.com has left
  219. winfried has left
  220. Simon has left
  221. martin.hewitt@surevine.com has joined
  222. Simon has joined
  223. martin.hewitt@surevine.com has left
  224. Neustradamus Have you planned an article for the next Security Test Day? "March 22, 2014 - third test day"
  225. Ash has left
  226. winfried has joined
  227. Ash has joined
  228. Simon Neustradamus: I'm working on that.
  229. Santiago26 I'm going to write an article for Russian speaking audience. You may know, we have a pretty large community, including ejabberd developers, but still no one takes part in the test days. I'll try to fix this. Just FYI:)
  230. Simon Hi Santiago26. Which are the big XMPP servers in Russia?
  231. martin.hewitt@surevine.com has joined
  232. Neustradamus Simon: :)
  233. Santiago26 Hi. Ya.ru (by yandex.ru search engine), qip.ru (QIP IM) — millions of users, hundreds of thousands online daily …and jabber.ru is the godfather, but it has not so many users
  234. Simon Santiago26. Thanks. Do you have any way to track down the admins for those servers? It would be great to shoot them a private message from either you or myself with a quick heads-up.
  235. Tobias also wondering why qip.ru runs a quite old version of ejabberd
  236. Santiago26 I think that yandex.ru admins are not accessible for me (us), qip.ru have some problems with their bosses, but we are discussing this idea, and i've tried to discuss Manifesto with zinid and ermine from jabber.ru and have no answer.
  237. Santiago26 Tobias: It is custom version of ejabberd, forked at 2.0.3, I think.
  238. Tobias Santiago26, ahh..i hope it's well maintained :)
  239. fippo http://blogs.adobe.com/standards/2014/03/18/the-business-of-standards-part-1/ -- true, true
  240. m&m has left
  241. m&m has joined
  242. Tobias fippo, nice read
  243. m&m has left
  244. martin.hewitt@surevine.com has left
  245. ralphm Tobias, fippo, yes, but I can't see it separate from the context this is posted on
  246. ralphm Adobe isn't necessarily on the forefront of standards development.
  247. Tobias ralphm, wasn't it behind standardizing PDF at ISO?
  248. Tobias but yeah..that's an old one
  249. Tobias ralphm, what context are you referring to exactly?
  250. ralphm Tobias: well, mostly that it is posted by Adobe
  251. Tobias ah..ok
  252. Simon has left
  253. ralphm and also that the context is a bit missing, I suppose
  254. ralphm why it he talking about standards, really?
  255. Tobias right...that i wondered about too..i first thought i missed some WebRTC news or so :)
  256. Tobias i mean while HTML5 and WebRTC are taking the biggest chunk out of flash over time, are they active in the WebRTC development or mostly just HTML5?
  257. ralphm About that, couldn't do our weekly hangout because Hangouts is having issues. Used talky this time. Nice.
  258. ralphm I haven't conciously noticed Adobe being active in WebRTC, but I am not following in minute detail.
  259. m&m has joined
  260. m&m has left
  261. m&m has joined
  262. Ash has left
  263. Santiago26 has left
  264. Ash has joined
  265. ralphm has left
  266. Santiago26 has left
  267. martin.hewitt@surevine.com has joined
  268. martin.hewitt@surevine.com has left
  269. martin.hewitt@surevine.com has joined
  270. Santiago26 has joined
  271. Zash has joined
  272. Leonidas has left
  273. Santiago26 has left
  274. Zash has joined
  275. martin.hewitt@surevine.com has left
  276. Ash has left
  277. winfried has left
  278. m&m has left
  279. m&m has joined
  280. Santiago26 has joined
  281. Santiago26 has left
  282. stpeter has left
  283. m&m has left
  284. martin.hewitt@surevine.com has joined
  285. Santiago26 has joined
  286. Santiago26 has left
  287. Zash has left
  288. martin.hewitt@surevine.com has left