XSF Discussion - 2014-03-17

  1. Zash has left

  2. Jef has left

  3. stpeter has left

  4. Leonidas I has joined

  5. Leonidas I has left

  6. Simon has joined

  7. Alex has joined

  8. emcho has joined

  9. Leonidas I has joined

  10. Simon has left

  11. simon has joined

  12. simon has left

  13. simon has joined

  14. Leonidas I has left

  15. Leonidas I has joined

  16. Leonidas has joined

  17. Leonidas has left

  18. Leonidas has joined

  19. Alex has left

  20. Tobias has joined

  21. Leonidas has left

  22. Leonidas has joined

  23. Leonidas has left

  24. Leonidas has joined

  25. Leonidas has left

  26. Leonidas has joined

  27. emcho has left

  28. emcho has joined

  29. winfried has joined

  30. Laura has joined

  31. Leonidas has left

  32. Leonidas has joined

  33. Lloyd has joined

  34. Laura has left

  35. Laura has joined

  36. Ash has joined

  37. Laura has left

  38. Laura has joined

  39. martin.hewitt@surevine.com has joined

  40. Zash has joined

  41. Leonidas has left

  42. ralphm has left

  43. intosi has left

  44. intosi has joined

  45. intosi has left

  46. intosi has joined

  47. Ge0rG

    dwd: ping. are you still overloaded with work?

  48. Laura has left

  49. Laura has joined

  50. Laura has left

  51. Laura has joined

  52. emcho has left

  53. emcho has joined

  54. Laura has left

  55. Laura has joined

  56. Santiago26 has joined

  57. Santiago26 has left

  58. Santiago26 has joined

  59. Santiago26 has left

  60. Santiago26 has joined

  61. Santiago26 has left

  62. Santiago26 has joined

  63. Santiago26 has left

  64. m&m has joined

  65. simon

    Zash has DANE working for Prosody now. It looks like Tigase has something on the horizon: https://projects.tigase.org/issues/1626. Anyone know about Ejabberd or MongooseIM or Openfire?

  66. Zash

    Need to write a proper DANE+XMPP draft

  67. simon

    Zash: Do you have some setup instructions lurking anywhere?

  68. Zash

    simon: For the Prosody DANE plugin, DNS setup or bot?

  69. Zash


  70. m&m

    Zash: would be acceptable to put the XMPP-specific parts of DANE into draft-ietf-xmpp-dna, or does it really require a standalone draft?

  71. simon

    The plugin looks pretty straight forward. But for the DNS setup. All the guides I've read are quite complex and assume a massive rollout... Well it would be nice to have a simple setup guide. Does such a thing exist?

  72. Zash

    m&m: Would probably be fine to have it in DNA-DANE

  73. m&m

    Zash: patches welcome (-:

  74. Zash

    Maybe, once I recover from the meeting I had this entire weekend.

  75. m&m


  76. m&m

    working on that is third on my TODO

  77. fippo

    DNA-DANE-POSH maybe

  78. fippo

    we still need to define what DNA is actually ;-)

  79. m&m


  80. Zash

    My code is currently diverging from the DANE-SRV stuff

  81. simon

    Zash: how does it diverge?

  82. Zash

    It looks up _xmpp-server.example.com IN TLSA instead of _$port._tcp.your-srv-target.example.com

  83. m&m

    I doubt that TLSA for _xmpp-server.example.com would get published

  84. Zash


  85. simon

    what's your thinking on using xmpp-server instead of _$port._tcp.your-srv-target.example.com?

  86. Zash

    simon: https://www.zash.se/dane-s2s-client.html

  87. simon

    I love it when someone can point to a webpage to answer questions!

  88. m&m

    the problem here is that it assumes a level of micro-coordination between the owning domain and the hosting provider that is only really possible for stand-alone servers

  89. Zash

    Basically, it's easier, especially for validating incoming connections.

  90. Zash

    m&m: CNAME :P

  91. m&m


  92. m&m


  93. m&m

    requiring CNAME to deploy seems like a Really Bad Idea™.

  94. m&m

    and again requires the owning domain and hosting provider to be in sync on DNS updates

  95. simon

    It's bad enough getting people setting up SRV records... (SRV what?)

  96. ralphm

    also, is this format for TLSA even valid?

  97. m&m

    ralphm: it's not prohibited, but it's not documented anywhere

  98. ralphm

    simon: strongly disagree. I wish SRV was used more. Like in HTTP.

  99. m&m

    RFC 6698 documents using _$port._tcp.hosting.example.net

  100. Zash

    ralphm: The qname has nothing to do with the TLSA format, that's just an example convention.

  101. m&m

    ralphm: wishing something were so and reality are often in conflict (-:

  102. simon

    Ralphm: I agree- wish they were used more too. But I have to explain why they are awesome every single bloody time.

  103. m&m

    and how 5222 and 5269 are not "proprietary ports"

  104. ralphm

    simon: write a web page to point to.

  105. Zash

    m&m: Incoming s2s connection, I wanna validate the client cert without doing over 9000 lookups.

  106. m&m

    ralphm: at that point, I might as well use .well-known and host metadata d-:

  107. Zash

    And SRV records might not even point to servers doing outgoing connections.

  108. ralphm

    m&m: I mean a web page explaining SRV

  109. m&m

    Zash: I understand your desire, but I think you're going to have to suck it up and deal with the extra lookups

  110. intosi

    You're going to do a million lookups anyway, because of DNSSEC.

  111. ralphm

    +1 sucking it up

  112. intosi

    m&m: +1

  113. Zash

    intosi: The dns library handles that for me.

  114. m&m

    Zash: it's not a ton of lookups, but n*2 (n == count of SRV RRs)

  115. m&m

    well, 3*n if you do both A and AAAA and TLSA

  116. simon

    One million lookups http://img2.wikia.nocookie.net/__cb20090506185112/uncyclopedia/images/f/fa/Dr_evil_one_million_dollars.jpg

  117. intosi

    And you probably will want to look up / have looked up the SRV records for the domain in question.

  118. m&m

    but really, anything that relies on the source domain holding information on the keying material severely constrains hosting deployments

  119. Zash

    intosi: Not for incoming connections with bidi

  120. ralphm

    I don't want to promote any non-standard use of existing DNS RRs. There are a few to choose from for pointing to things, all with their own uses. TXT, CNAME, SRV, TLSA, PTR. Please, just use them appropriately.

  121. Leonidas has joined

  122. Leonidas has left

  123. Leonidas has joined

  124. ralphm

    I remember a recent discussion with simon on this for BC.

  125. simon

    Go PTR!

  126. Zash

    I remember a recent discussion with DANE people at IETF that this made more sense than the _port way.

  127. m&m

    if it wasn't Viktor Dukonvni or Wes Hardraker, then it probably wasn't with people actually deploying things (-:

  128. Zash

    where's that email

  129. Zash


  130. simon

    m&m: that's one of the most pleasant to read RFCs. Nice job btw.

  131. m&m

    Zash: /sigh … this is after spending about 2 minutes trying explain XMPP S2S to someone unfamiliar with XMPP

  132. ralphm


  133. m&m

    for actual XMPP clients, this might be ok, although I still doubt the actual deployability of true client certs

  134. m&m

    for servers, I think you'll have to do the SRV and TLSA lookups, or you could be getting false negatives

  135. m&m

    particularly for hosting providers that have separate certs for each individual end-point

  136. m&m

    simon: we try (-:

  137. Zash

    false negatives?

  138. m&m

    for instance, let's say hobbiton.example is hosted at a large provider with 6 s2s end-points(im1.middle-earth.example, im2.middle-earth.example, im3.middle-earth.example, im4.middle-earth.example, im5.middle-earth.example, im6.middle-earth.example)

  139. m&m

    you get an incoming connection from one of these, and you do a IN TLSA _xmpp-server.hobbiton.example

  140. Zash

    I get 6 records back, find at least one matching and then I'm happy.

  141. m&m

    if that resulted in 6 different TLSA RRs, then you'll probably be fine unless im3.middle-eath.example had to rotate keys

  142. m&m

    but if you relied on your CNAME, well things get a lot messier

  143. Zash


  144. m&m

    if you did the SRV then TLSA lookups, you'd get a whole lot closer to reality

  145. m&m

    CNAME to multiple records are messy

  146. Zash

    Is it?

  147. m&m

    that's what I've been told at least (-:

  148. Neustradamus has left

  149. m&m

    plus, you're requiring the owning domain and possibly hosting provider to make sure extra records are in sync, which increases the likelihood of failure

  150. m&m

    doing the same SRV + TLSA dance for incoming connections as outgoing minimizes the number of records operators have to publish (reducing the bugs)

  151. ralphm

    also, you can't point to CNAMEs with SRV

  152. m&m

    ralphm: you can have CNAME _xmpp-server._tcp.example.com

  153. ralphm

    I'm sure that goes for other record types, too

  154. ralphm cries

  155. Zash

    ralphm: Not relevant.

  156. m&m

    ralphm: it also turns out the vast majority of resolvers don't really care where the CNAME/DNAME records are in the chain )-:

  157. ralphm

    CNAMEs only exist because there wasn't anything better

  158. m&m

    the other thing with doing the SRV + TLSA dance on incoming is that you'll almost always have cached records for the outgoing (or almost always have cached on your outgoing before you got the incoming)

  159. simon

    Ralphm: kinda like MX too?

  160. ralphm

    simon: well, yeah, MX is just e-mail specific SRV

  161. stpeter has joined

  162. m&m

    ralphm: kind of (-: It turns out to be more complicated than that, mixing MSA (Mail Submission Agents) and MTA (Mail Transfer Agents)

  163. simon

    I'm still watching this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=14328

  164. simon

    one can have hope...

  165. ralphm

    m&m: arguably, e-mail now has different services for submission and transfer

  166. ralphm

    the fact that people still submit on 25 is, well, backwards

  167. ralphm

    (so _smtp vs. _submission)

  168. Neustradamus has left

  169. simon has left

  170. Leonidas has left

  171. fippo

    m&m: almost always, unless you're the receiving server. but then you need to outgoing dance soon anyway ;-)

  172. m&m

    fippo: that's my point (-:

  173. m&m goes back to cooking jose

  174. Zash

    I thougt people agreed with this already..

  175. Zash has left

  176. Tobias has left

  177. Zash has joined

  178. winfried has left

  179. Leonidas has joined

  180. Lloyd has left

  181. Neustradamus has left

  182. Neustradamus has joined

  183. Tobias has joined

  184. winfried has joined

  185. Santiago26 has joined

  186. martin.hewitt@surevine.com has left

  187. Leonidas has left

  188. Santiago26 has left

  189. Santiago26 has left

  190. martin.hewitt@surevine.com has joined

  191. Santiago26 has joined

  192. Zash has left

  193. Zash has joined

  194. martin.hewitt@surevine.com has left

  195. martin.hewitt@surevine.com has joined

  196. Simon has joined

  197. Santiago26 has left

  198. Santiago26 has left

  199. Simon

    Quick question before send out an email to the list about the <potential> DNSSEC grant: Who is it from?

  200. Santiago26 has joined

  201. stpeter


  202. stpeter

    the Internet Society are the folks we'd ask to fund this

  203. Simon

    Thanks. That's what I needed.

  204. Simon

    Doing my board task from last week - email about how we get most bang-for-buck from it.

  205. martin.hewitt@surevine.com has left

  206. Laura has left

  207. dwd has left

  208. stpeter

    Simon: thanks!

  209. Santiago26 has left

  210. Santiago26 has left

  211. Santiago26 has joined

  212. Santiago26 has left

  213. Simon has left

  214. Simon has joined

  215. Santiago26 has left

  216. martin.hewitt@surevine.com has joined

  217. Leonidas has joined

  218. martin.hewitt@surevine.com has left

  219. winfried has left

  220. Simon has left

  221. martin.hewitt@surevine.com has joined

  222. Simon has joined

  223. martin.hewitt@surevine.com has left

  224. Neustradamus

    Have you planned an article for the next Security Test Day? "March 22, 2014 - third test day"

  225. Ash has left

  226. winfried has joined

  227. Ash has joined

  228. Simon

    Neustradamus: I'm working on that.

  229. Santiago26

    I'm going to write an article for Russian speaking audience. You may know, we have a pretty large community, including ejabberd developers, but still no one takes part in the test days. I'll try to fix this. Just FYI:)

  230. Simon

    Hi Santiago26. Which are the big XMPP servers in Russia?

  231. martin.hewitt@surevine.com has joined

  232. Neustradamus

    Simon: :)

  233. Santiago26

    Hi. Ya.ru (by yandex.ru search engine), qip.ru (QIP IM) — millions of users, hundreds of thousands online daily …and jabber.ru is the godfather, but it has not so many users

  234. Simon

    Santiago26. Thanks. Do you have any way to track down the admins for those servers? It would be great to shoot them a private message from either you or myself with a quick heads-up.

  235. Tobias

    also wondering why qip.ru runs a quite old version of ejabberd

  236. Santiago26

    I think that yandex.ru admins are not accessible for me (us), qip.ru have some problems with their bosses, but we are discussing this idea, and i've tried to discuss Manifesto with zinid and ermine from jabber.ru and have no answer.

  237. Santiago26

    Tobias: It is custom version of ejabberd, forked at 2.0.3, I think.

  238. Tobias

    Santiago26, ahh..i hope it's well maintained :)

  239. fippo

    http://blogs.adobe.com/standards/2014/03/18/the-business-of-standards-part-1/ -- true, true

  240. m&m has left

  241. m&m has joined

  242. Tobias

    fippo, nice read

  243. m&m has left

  244. martin.hewitt@surevine.com has left

  245. ralphm

    Tobias, fippo, yes, but I can't see it separate from the context this is posted on

  246. ralphm

    Adobe isn't necessarily on the forefront of standards development.

  247. Tobias

    ralphm, wasn't it behind standardizing PDF at ISO?

  248. Tobias

    but yeah..that's an old one

  249. Tobias

    ralphm, what context are you referring to exactly?

  250. ralphm

    Tobias: well, mostly that it is posted by Adobe

  251. Tobias


  252. Simon has left

  253. ralphm

    and also that the context is a bit missing, I suppose

  254. ralphm

    why it he talking about standards, really?

  255. Tobias

    right...that i wondered about too..i first thought i missed some WebRTC news or so :)

  256. Tobias

    i mean while HTML5 and WebRTC are taking the biggest chunk out of flash over time, are they active in the WebRTC development or mostly just HTML5?

  257. ralphm

    About that, couldn't do our weekly hangout because Hangouts is having issues. Used talky this time. Nice.

  258. ralphm

    I haven't conciously noticed Adobe being active in WebRTC, but I am not following in minute detail.

  259. m&m has joined

  260. m&m has left

  261. m&m has joined

  262. Ash has left

  263. Santiago26 has left

  264. Ash has joined

  265. ralphm has left

  266. Santiago26 has left

  267. martin.hewitt@surevine.com has joined

  268. martin.hewitt@surevine.com has left

  269. martin.hewitt@surevine.com has joined

  270. Santiago26 has joined

  271. Zash has joined

  272. Leonidas has left

  273. Santiago26 has left

  274. Zash has joined

  275. martin.hewitt@surevine.com has left

  276. Ash has left

  277. winfried has left

  278. m&m has left

  279. m&m has joined

  280. Santiago26 has joined

  281. Santiago26 has left

  282. stpeter has left

  283. m&m has left

  284. martin.hewitt@surevine.com has joined

  285. Santiago26 has joined

  286. Santiago26 has left

  287. Zash has left

  288. martin.hewitt@surevine.com has left