XSF Discussion - 2017-10-04

I don't think XEP-0156 security considerations go far enough

DNS is insecure (in practice), and there is no requirement for the BOSH URL in DNS to match your login host

So anyone with the ability to forge DNS for your domain can redirect XEP-0156-capable clients to any place they choose

-xep 156

Zash: XEP-0156: Discovering Alternative XMPP Connection Methods (Standards Track, Draft, 2016-06-07) See: https://xmpp.org/extensions/xep-0156.html

-xep dnssec

Zash: XEP-0344: Impact of TLS and DNSSEC on Dialback (Standards Track, Deferred, 2017-09-11) See: https://xmpp.org/extensions/xep-0344.html

MattJ: anyone with the ability for forge DNS for your domain can redirect clients to any place they choose

and then you use TLS certificate verification to detect that

and you don't go ahead with the connection

and that is not true for xep156?

No

The XEP recommends using HTTPS, but this is not enough

Flow, well, it is true, but the attacker can choose the name the client validates against :)

the BOSH URL can be https://mitm.badguy.net/http-bind

jonasw: with BOSH you validate the cert not against the XMPP domain you want to connect to?

As long as the bad guy knows how to use Let's Encrypt to get a cert for his own domain, everything will work fine

ahh ok

BOSH is just HTTPS, it was designed to be used where only a HTTPS API was available

yep, in that case xep156 should eventually require DNSSEC

Like how DNSSEC-signed SRV records are an acceptable proof of delegation

as if you could enforce that in a JS client.

Another issue is that browsers don’t expose DNSSEC validation to the application.

Hmm, no, that’s unrelated, the HTTP-based way in 0156 is fine, since it is done against the user’s domain.

Ge0rG, so https://op-co.de/blog/posts/java_sslsocket_mitm/ "undisclosed Android application (contacted on 2014-07-21)" is it time to name it yet? :)

I had discloused the application back then. I think there where no commits since then

Uh, I was wrong, last commit is less then 22 months ago

so which app?

moparisthebest: I'm pretty sure it was Xabber.

Ge0rG: sure? I remember it was a different app

Flow: I'll have a look at my mail archive some time later today

either way 3 years was probably enough time to name them :)

they've either fixed it or never will at this point

moparisthebest: there aren't that many xmpp clients for android which existed in 2014 and are not listed on the page

for example xabber is listed

to quote from council@: 15:31:23 Tobias> we have logs again, thanks to whoever did that I can only +1 that :)

even with the logs from the past

:)

The gap's there because we didn't log anything at all in that period.

ah, unfortunate timing of that message :)

* the six month gap between mid March and September.

ohh

I didn’t see that :)

still amazing :)

but at least from mid sept, that’s already good

Anything before The Event might not be there, even though the page claims it's there. It's a bit hit and miss.

Yet, didn't want to prune it.

Want me to fill the logs I obtained during that time?

They are in the mcabber/poezio format, which should be easy to convert into whatever format you are using.

@Link Mauve not a terrible idea. No idea when I have time to look at that, but if you have them, might as well pop them over and we can see when to fill in the blanks.

watch out, Link Mauve could have modified logs for his own nefarious purposes

I’ll send March-September for this room, do you want any other room I’m in?

:P

moparisthebest: a valid point

Like council@.

moparisthebest, indeed.

what, I don't remember the board electing Link Mauve XMPP king for life back in march, oh well, it's in the logs

I can send my logs, too

same format :)

we can diff the textual content and see if there’s anything wrong there

only if we trust you two aren't colluding

the order should be equivalent, just the timestamps can be fuzzy.

I smell collusion.

nevar!

as if we should trust the both of you not conspiring...

I still have a grudge against Link Mauve for not delivering the XEP update he promised, so there’s no way we are colluding!!k :-)

I can toss in whatever I have logged in my own archive, and make an outright mess of things ;)

jonasw, that's exactly what someone colluding would say

I can conspi.. eh.. contribute logs in the same format.

:o

Link Mauve, just kidding :)

I will never collude again with you then!

"again"?

can we vote members out?

jonasw, aren’t we colluding right now?

I’m too confused at this point.

I'll likely not make the board meeting today, sorry

With SCAM, I'd like to get the effort underway to organize FOSDEM'18 & the corresponding summit. I'd be grateful if people that were invovled in earlier events could help out (as I'm unsure where to start)

please find us in either the summit or scam MUC!

(but first: dinner! afk)

summit dinner?

Board meeting time

Indeed

Who's around?

I'm here until :30

I can take minutes

but "done is better than perfect" and "stop starting, start finishing"

oops

https://trello.com/b/Dn6IQOu0/board-meetings

Getting a bit ahead of ourselves unless a third board member pipes up

few items

present.

Ah, splendid, we are 3

meh

Let's get started

go?

1. Roll call

gavel, are you here?

Myself, nyco, and Arc in attendance

2. Minutes. jonasw?

\m/

yes

Here

Ooh, a 4th, excellent

good!

3. Topics for decisions. Only thing on Trello is the logo, which I think we okayed last week?

yes you did

OK

4. Commitment list

4.1 Council & board elections

I saw an email went out about these, what else do we need to do?

Martin, Put your name down? :-)

nothing? agree? say goodbye or apply again?

Perhaps board could reach out to nonmembers

I guess I'm asking the more seasoned hands if the Board have anything specific we need to do at this point?

Martin, First, ensure that Alex has done the job, which he has.

i'll apply again

Martin, Second, note it for the record.

Right, good, noted that Alex sent out the details to the members list. As Guus has mentioned, casting a wide net can't hurt.

5. Items for discussion

again?

5.1 "Discuss renaming 'Draft' to 'Stable'

jonasw: Again what?

aahhh

I’m too stupid to discern "Discussion" and "decision"

nevermind me

(I thought we had "Topics for *discussion*" already, but it was "decision")

Mailing list ref: https://mail.jabber.org/pipermail/standards/2017-September/033441.html

Any thoughts on this?

im not sure if we're the right body to decide this

I was wondering the same

Arc, You are, because changes to XEP-0001 (which this would be) are approved by Board.

"Recommandation", "Request For Comments": what does it mean?

what are the expected benefits of such a name change? for whom?

nyco, I think this has been discussed in the standards@ thread

Yeah, there still seems to be a fair bit of discussion going on in the mailing list, might be worth seeing how that pans out

seems it, yes

the discussion has been stalled for more than one week

That discussion wasn't followed up on any longer.

Blame my inability to navigate mailing lists

Guus: you're running for the board, right?

Did Council have a statement/

Am I?

I'm considering it, but I've got a bit much boards on my plate as it is :)

me too

OK, correct me if I'm mis-reading the ML thread, but there doesn't seem to be a consensus?

So there's a discussion, and it seems to have come to a halt, but not to a conclusion...

I think the consensus was to not rename 'experimental' (but strive for XEPs to not linger in that state), but to rename 'draft'

Guus, I proposed the specific case of Draft => Stable, and even I'm not convinced that has genera agreement from people.

I'm under the impression that this was also discussed and agreed on by Council, but I'm not sure?

Okay, I might have misread/misinterpreted. I've not been able to keep up the pace the last few days.

Council didn't approve it; it decided to let discussion continue and see what the Board said.

So, what needs to happen for Board to decide either way?

"further discussion" won't happen without incentive

dwd, I apologize for the confusion, I must have mixed up a few things.

I'll try to pay better attention next time :)

I think the discussion has been too varied so far. Before I'd want to approve any change with a Board hat on, I'd rather see a very specific proposal backed by members

+1 to that MattJ

+1 to MattJ

I can post such a proposal to the list

+1 to dwd

Thanks MattJ

MattJ, please do

5.2 Outsource trademark license application decisions from board to separate WG

Did this come from you, Guus?

Nope. Ge0rG, I think

Mixing up my G's

We get that a lot.

It was me.

Not much context around it on Trello. I created the card so I probably should've asked for more at the time.

Not a very serious proposal, just because board had such a long no-meeting time.

Are/were there applications that got held up?

mine did

by a week or so

nothing urgent though

Feels like a sledgehammer to crack a nut, if the cliche translates.

I tend to agree

OK, I'll archive it

Ok, let's bring this to a close.

6. AOBs?

Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?

nope

My AOB is I won't be able to attend the next 3 board meetings due to holidays.

7. Time & date of next, +1W?

wfm

good

Right, think we're done. Thanks everyone.

+1w

Martin, Arc?

gotta go, thx, bye!

Sorry again, guys.

Guus: I work for Surevine, my interest is in using federation to make systems that fit an organisation, not the other way around.

thanks. Arc?

Ge0rG: not cool at all.

Guus: ?

Your oneliner for the record

16:31:51 Guus> Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?

that’s the context I guess

yup

yeah, I've now ripped it from your last membership application.

bio PR in 3, 2, 1...

https://github.com/xsf/xmpp.org/pull/376

does martin have a github account?

ah, found it

Kev, you here by any chance?

ralphm: pardon me please? What's not cool m

s/m/?/

I won't be tricked into giving a bio :-P

Arc: please note that a bio has been provided none-the-less. :)

good, then its not autobio :-P

Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).

what's the name for this part in the domain name of a component? thispart.example.org ?

label, I think

But that's DNS terminology, not specific to XMPP

In XMPP, other than for DNS resolution, the domain is opaque

There are three labels in that domain name though. I suspect Guus wants to refer specifically to the subdomain

There's no intrinsic relation between example.org and sub.example.org

It's still common to need to refer to the sub. part though

"fully qualified"?

That is nothing more than convention

The whole thing is fqdn, sure

The leftmost part is then a hostname

Not sure if fqdn is a well-defined term tho

Totally is

https://en.m.wikipedia.org/wiki/Fully_qualified_domain_name

the common term is third-level domain

which also caters for "top-level" domains like .co.uk somewhat

(cc @ Guus)

Thanks (putting kids to bed now, afk)

have fun

Also, ralphm : Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).

Please elevate my permissions.

I'm not near a device to easily do these things

in xmpp, component domains need not be subdomains of the xmpp domain?

Nope

Nope.

wow. Pretty sure that that's not supported in any of our code

Prosody special-cases those by advertising them in the disco#items of the “parent” domain, other servers may do similar things.

By convention

Guus, by “your”, do you mean OF?

yeah, and Whack

the external component implementation that we have

Perhaps that's because I've always thought this way, but why would one not want an external component to be hierarchically under the xmpp domain? It's part of the same realm, no?

Because there is no relation between them.

also think about PKI/certificates

in a decentralized sollution you need to have mulitple independant root certificates

(it is the sam argument as @Link Mauve says really, just a different angle)

does someone actually use addressing like that for external components?

working with my own stuff, i've obviously never seen it. Nor had or heard of the need.

Outside of the component protocol, it's just another JID

Guus, at JabberFR we serve some 73 user domains, all of them share the same set of components to provide them nice additional features.

Cool

one of the many things to improve on, then

Guus, what do you mean? Multiple domains?

multiple domains without s2s?

or?

stefandxm: Link already answered, but I was wondering if there were external components "in the wild" that really have an address that's not a subdomain of the (single) xmpp domain that they're connected to.

that's how I've always used them

I've been looking at our code - don't even think it would be to hard to change for Openfire - but then again, I wonder if it's worth the trouble

we had it at my old job

we ran a hybrid cloud

our cloud was in cloud.companydomain.top

rather than company.cloud.top

it makes more sense securitywise when it comes to firewalls

its also very nice to use for onboarding

and not only firewalls but in general. because of certificates again

if you run xmpp.company.com

you can have a certificate that is linked to the company

how would you know to trust company.xmpphost.com ?

all you know is that you want to trust company.com

what is this xmpphost?

company.xmpphost.com has a certificate valid for company.com, that's how

or, DNSSEC

sure

my bad. its of course possible

albeit seen implementations not liking it

but that just buggy =)

but i still hold that xmpp.company.com makes more sense

the name doesn't matter at all

you validate the name in the cert

it's actually more code to care whether it's a subdomain or not

its a dual side of the coin really

yeah

and in reality code is what makes everything works

lets say you have microsoft.knownfisher.com

will you like this certificate even if you would trust the PKI for the certificate alone?

its not trivial in reality. but i agree so i dont want to argue :)

However. I found out the buildscript issue

so know i updated http://opensource.clayster.com/lwtsd/Communications/lwtsd

with "new" error management

ill send it in as an xep if there is enough people who thinks it is worth the work

so the call for experience on '368 ended yesterday, what's the procedure for a few clerical updates on a draft xep? do I just put in a PR or what?

I suppose council votes or something?

moparisthebest, ask me again tomorrow if nobody replies to you in the meantime

There's always room for textual changes for clarification and typos and such. A PR seems like a good start. Naturally it is up to the Editors to discuss with Council if a change meets the requirements in section 9.4 of XEP-0001: https://xmpp.org/extensions/xep-0001.html#states-Final

moparisthebest: ^

it's just more clarification and 1 change from SHOULD to MAY

but yeal I'll put in a PR and go from there, thanks ralphm