Ge0rGdwd: ping. are you still overloaded with work?
Laurahas left
Laurahas joined
Laurahas left
Laurahas joined
emchohas left
emchohas joined
Laurahas left
Laurahas joined
Santiago26has joined
Santiago26has left
Santiago26has joined
Santiago26has left
Santiago26has joined
Santiago26has left
Santiago26has joined
Santiago26has left
m&mhas joined
simonZash has DANE working for Prosody now. It looks like Tigase has something on the horizon: https://projects.tigase.org/issues/1626. Anyone know about Ejabberd or MongooseIM or Openfire?
ZashNeed to write a proper DANE+XMPP draft
simonZash: Do you have some setup instructions lurking anywhere?
Zashsimon: For the Prosody DANE plugin, DNS setup or bot?
Zashboth*
m&mZash: would be acceptable to put the XMPP-specific parts of DANE into draft-ietf-xmpp-dna, or does it really require a standalone draft?
simonThe plugin looks pretty straight forward. But for the DNS setup. All the guides I've read are quite complex and assume a massive rollout... Well it would be nice to have a simple setup guide. Does such a thing exist?
Zashm&m: Would probably be fine to have it in DNA-DANE
m&mZash: patches welcome (-:
ZashMaybe, once I recover from the meeting I had this entire weekend.
m&mouch
m&mworking on that is third on my TODO
fippoDNA-DANE-POSH maybe
fippowe still need to define what DNA is actually ;-)
m&mhttp://dictionary.reference.com/browse/DNA
ZashMy code is currently diverging from the DANE-SRV stuff
simonZash: how does it diverge?
ZashIt looks up _xmpp-server.example.com IN TLSA instead of _$port._tcp.your-srv-target.example.com
m&mI doubt that TLSA for _xmpp-server.example.com would get published
ZashHm?
simonwhat's your thinking on using xmpp-server instead of _$port._tcp.your-srv-target.example.com?
simonI love it when someone can point to a webpage to answer questions!
m&mthe problem here is that it assumes a level of micro-coordination between the owning domain and the hosting provider that is only really possible for stand-alone servers
ZashBasically, it's easier, especially for validating incoming connections.
Zashm&m: CNAME :P
m&m/-:
m&m\-:
m&mrequiring CNAME to deploy seems like a Really Bad Idea™.
m&mand again requires the owning domain and hosting provider to be in sync on DNS updates
simonIt's bad enough getting people setting up SRV records... (SRV what?)
ralphmalso, is this format for TLSA even valid?
m&mralphm: it's not prohibited, but it's not documented anywhere
ralphmsimon: strongly disagree. I wish SRV was used more. Like in HTTP.
m&mRFC 6698 documents using _$port._tcp.hosting.example.net
Zashralphm: The qname has nothing to do with the TLSA format, that's just an example convention.
m&mralphm: wishing something were so and reality are often in conflict (-:
simonRalphm: I agree- wish they were used more too. But I have to explain why they are awesome every single bloody time.
m&mand how 5222 and 5269 are not "proprietary ports"
ralphmsimon: write a web page to point to.
Zashm&m: Incoming s2s connection, I wanna validate the client cert without doing over 9000 lookups.
m&mralphm: at that point, I might as well use .well-known and host metadata d-:
ZashAnd SRV records might not even point to servers doing outgoing connections.
ralphmm&m: I mean a web page explaining SRV
m&mZash: I understand your desire, but I think you're going to have to suck it up and deal with the extra lookups
intosiYou're going to do a million lookups anyway, because of DNSSEC.
ralphm+1 sucking it up
intosim&m: +1
Zashintosi: The dns library handles that for me.
m&mZash: it's not a ton of lookups, but n*2 (n == count of SRV RRs)
m&mwell, 3*n if you do both A and AAAA and TLSA
simonOne million lookups http://img2.wikia.nocookie.net/__cb20090506185112/uncyclopedia/images/f/fa/Dr_evil_one_million_dollars.jpg
intosiAnd you probably will want to look up / have looked up the SRV records for the domain in question.
m&mbut really, anything that relies on the source domain holding information on the keying material severely constrains hosting deployments
Zashintosi: Not for incoming connections with bidi
ralphmI don't want to promote any non-standard use of existing DNS RRs. There are a few to choose from for pointing to things, all with their own uses. TXT, CNAME, SRV, TLSA, PTR. Please, just use them appropriately.
Leonidashas joined
Leonidashas left
Leonidashas joined
ralphmI remember a recent discussion with simon on this for BC.
simonGo PTR!
ZashI remember a recent discussion with DANE people at IETF that this made more sense than the _port way.
m&mif it wasn't Viktor Dukonvni or Wes Hardraker, then it probably wasn't with people actually deploying things (-:
simonm&m: that's one of the most pleasant to read RFCs. Nice job btw.
m&mZash: /sigh … this is after spending about 2 minutes trying explain XMPP S2S to someone unfamiliar with XMPP
ralphmwoooosh
m&mfor actual XMPP clients, this might be ok, although I still doubt the actual deployability of true client certs
m&mfor servers, I think you'll have to do the SRV and TLSA lookups, or you could be getting false negatives
m&mparticularly for hosting providers that have separate certs for each individual end-point
m&msimon: we try (-:
Zashfalse negatives?
m&mfor instance, let's say hobbiton.example is hosted at a large provider with 6 s2s end-points(im1.middle-earth.example, im2.middle-earth.example, im3.middle-earth.example, im4.middle-earth.example, im5.middle-earth.example, im6.middle-earth.example)
m&myou get an incoming connection from one of these, and you do a IN TLSA _xmpp-server.hobbiton.example
ZashI get 6 records back, find at least one matching and then I'm happy.
m&mif that resulted in 6 different TLSA RRs, then you'll probably be fine unless im3.middle-eath.example had to rotate keys
m&mbut if you relied on your CNAME, well things get a lot messier
ZashBecause?
m&mif you did the SRV then TLSA lookups, you'd get a whole lot closer to reality
m&mCNAME to multiple records are messy
ZashIs it?
m&mthat's what I've been told at least (-:
Neustradamushas left
m&mplus, you're requiring the owning domain and possibly hosting provider to make sure extra records are in sync, which increases the likelihood of failure
m&mdoing the same SRV + TLSA dance for incoming connections as outgoing minimizes the number of records operators have to publish (reducing the bugs)
ralphmalso, you can't point to CNAMEs with SRV
m&mralphm: you can have CNAME _xmpp-server._tcp.example.com
ralphmI'm sure that goes for other record types, too
ralphmcries
Zashralphm: Not relevant.
m&mralphm: it also turns out the vast majority of resolvers don't really care where the CNAME/DNAME records are in the chain )-:
ralphmCNAMEs only exist because there wasn't anything better
m&mthe other thing with doing the SRV + TLSA dance on incoming is that you'll almost always have cached records for the outgoing (or almost always have cached on your outgoing before you got the incoming)
simonRalphm: kinda like MX too?
ralphmsimon: well, yeah, MX is just e-mail specific SRV
stpeterhas joined
m&mralphm: kind of (-: It turns out to be more complicated than that, mixing MSA (Mail Submission Agents) and MTA (Mail Transfer Agents)
simonI'm still watching this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=14328
simonone can have hope...
ralphmm&m: arguably, e-mail now has different services for submission and transfer
ralphmthe fact that people still submit on 25 is, well, backwards
ralphm(so _smtp vs. _submission)
Neustradamushas left
simonhas left
Leonidashas left
fippom&m: almost always, unless you're the receiving server. but then you need to outgoing dance soon anyway ;-)
m&mfippo: that's my point (-:
m&mgoes back to cooking jose
ZashI thougt people agreed with this already..
Zashhas left
Tobiashas left
Zashhas joined
winfriedhas left
Leonidashas joined
Lloydhas left
Neustradamushas left
Neustradamushas joined
Tobiashas joined
winfriedhas joined
Santiago26has joined
martin.hewitt@surevine.comhas left
Leonidashas left
Santiago26has left
Santiago26has left
martin.hewitt@surevine.comhas joined
Santiago26has joined
Zashhas left
Zashhas joined
martin.hewitt@surevine.comhas left
martin.hewitt@surevine.comhas joined
Simonhas joined
Santiago26has left
Santiago26has left
SimonQuick question before send out an email to the list about the <potential> DNSSEC grant: Who is it from?
Santiago26has joined
stpeterum?
stpeterthe Internet Society are the folks we'd ask to fund this
SimonThanks. That's what I needed.
SimonDoing my board task from last week - email about how we get most bang-for-buck from it.
martin.hewitt@surevine.comhas left
Laurahas left
dwdhas left
stpeterSimon: thanks!
Santiago26has left
Santiago26has left
Santiago26has joined
Santiago26has left
Simonhas left
Simonhas joined
Santiago26has left
martin.hewitt@surevine.comhas joined
Leonidashas joined
martin.hewitt@surevine.comhas left
winfriedhas left
Simonhas left
martin.hewitt@surevine.comhas joined
Simonhas joined
martin.hewitt@surevine.comhas left
NeustradamusHave you planned an article for the next Security Test Day? "March 22, 2014 - third test day"
Ashhas left
winfriedhas joined
Ashhas joined
SimonNeustradamus: I'm working on that.
Santiago26I'm going to write an article for Russian speaking audience. You may know, we have a pretty large community, including ejabberd developers, but still no one takes part in the test days. I'll try to fix this. Just FYI:)
SimonHi Santiago26. Which are the big XMPP servers in Russia?
martin.hewitt@surevine.comhas joined
NeustradamusSimon: :)
Santiago26Hi. Ya.ru (by yandex.ru search engine), qip.ru (QIP IM) — millions of users, hundreds of thousands online daily
…and jabber.ru is the godfather, but it has not so many users
SimonSantiago26. Thanks. Do you have any way to track down the admins for those servers? It would be great to shoot them a private message from either you or myself with a quick heads-up.
Tobiasalso wondering why qip.ru runs a quite old version of ejabberd
Santiago26I think that yandex.ru admins are not accessible for me (us), qip.ru have some problems with their bosses, but we are discussing this idea, and i've tried to discuss Manifesto with zinid and ermine from jabber.ru and have no answer.
Santiago26Tobias: It is custom version of ejabberd, forked at 2.0.3, I think.
TobiasSantiago26, ahh..i hope it's well maintained :)
ralphmTobias, fippo, yes, but I can't see it separate from the context this is posted on
ralphmAdobe isn't necessarily on the forefront of standards development.
Tobiasralphm, wasn't it behind standardizing PDF at ISO?
Tobiasbut yeah..that's an old one
Tobiasralphm, what context are you referring to exactly?
ralphmTobias: well, mostly that it is posted by Adobe
Tobiasah..ok
Simonhas left
ralphmand also that the context is a bit missing, I suppose
ralphmwhy it he talking about standards, really?
Tobiasright...that i wondered about too..i first thought i missed some WebRTC news or so :)
Tobiasi mean while HTML5 and WebRTC are taking the biggest chunk out of flash over time, are they active in the WebRTC development or mostly just HTML5?
ralphmAbout that, couldn't do our weekly hangout because Hangouts is having issues. Used talky this time. Nice.
ralphmI haven't conciously noticed Adobe being active in WebRTC, but I am not following in minute detail.
XSF Discussion - 2014-03-17