Zash: XEP-0344: Impact of TLS and DNSSEC on Dialback (Standards Track, Deferred, 2017-09-11)
See: https://xmpp.org/extensions/xep-0344.html
jerehas left
jerehas joined
Flow
MattJ: anyone with the ability for forge DNS for your domain can redirect clients to any place they choose
MattJ
and then you use TLS certificate verification to detect that
MattJ
and you don't go ahead with the connection
Flow
and that is not true for xep156?
MattJ
No
MattJ
The XEP recommends using HTTPS, but this is not enough
jonasw
Flow, well, it is true, but the attacker can choose the name the client validates against :)
MattJ
the BOSH URL can be https://mitm.badguy.net/http-bind
Flow
jonasw: with BOSH you validate the cert not against the XMPP domain you want to connect to?
MattJ
As long as the bad guy knows how to use Let's Encrypt to get a cert for his own domain, everything will work fine
Flow
ahh ok
MattJ
BOSH is just HTTPS, it was designed to be used where only a HTTPS API was available
Flow
yep, in that case xep156 should eventually require DNSSEC
Zash
Like how DNSSEC-signed SRV records are an acceptable proof of delegation
jonasw
as if you could enforce that in a JS client.
Link Mauve
Another issue is that browsers don’t expose DNSSEC validation to the application.
moparisthebesthas joined
Link Mauve
Hmm, no, that’s unrelated, the HTTP-based way in 0156 is fine, since it is done against the user’s domain.
moparisthebesthas joined
lumihas joined
Alexhas left
jcbrandhas left
uchas joined
jcbrandhas joined
zinidhas left
lumihas joined
ralphmhas joined
jubalhhas joined
Valerianhas joined
la|r|mahas joined
jubalhhas left
jubalhhas joined
jcbrandhas left
Alexhas joined
Bunnehhas left
Guushas left
Martinhas left
Martinhas joined
Bunnehhas joined
jubalhhas joined
waqashas joined
Guushas left
danielhas left
moparisthebest
Ge0rG, so https://op-co.de/blog/posts/java_sslsocket_mitm/ "undisclosed Android application (contacted on 2014-07-21)" is it time to name it yet? :)
Flow
I had discloused the application back then. I think there where no commits since then
Flow
Uh, I was wrong, last commit is less then 22 months ago
moparisthebest
so which app?
Ge0rG
moparisthebest: I'm pretty sure it was Xabber.
andrey.ghas left
Flow
Ge0rG: sure? I remember it was a different app
Ge0rG
Flow: I'll have a look at my mail archive some time later today
andrey.ghas joined
moparisthebest
either way 3 years was probably enough time to name them :)
moparisthebest
they've either fixed it or never will at this point
andrey.ghas joined
Flow
moparisthebest: there aren't that many xmpp clients for android which existed in 2014 and are not listed on the page
Flow
for example xabber is listed
SamWhitedhas left
andrey.ghas joined
mimi89999has left
andrey.ghas joined
andrey.ghas joined
uchas joined
andrey.ghas joined
andrey.ghas joined
la|r|mahas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
Kevhas left
ralphmhas left
Wiktorhas joined
ralphmhas left
jubalhhas joined
waqashas left
tuxhas left
uchas joined
waqashas joined
sonnyhas joined
sonnyhas joined
Tobiashas left
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
dwdhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
la|r|mahas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
matlaghas joined
waqashas left
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
waqashas joined
sonnyhas left
sonnyhas joined
jonasw
to quote from council@:
15:31:23 Tobias> we have logs again, thanks to whoever did that
I can only +1 that :)
jonasw
even with the logs from the past
intosi
:)
la|r|mahas joined
intosi
The gap's there because we didn't log anything at all in that period.
Guusblames intosi
Guus
ah, unfortunate timing of that message :)
intosi
* the six month gap between mid March and September.
jonasw
ohh
jonasw
I didn’t see that :)
jonasw
still amazing :)
jonasw
but at least from mid sept, that’s already good
intosi
Anything before The Event might not be there, even though the page claims it's there. It's a bit hit and miss.
intosi
Yet, didn't want to prune it.
Link Mauve
Want me to fill the logs I obtained during that time?
Link Mauve
They are in the mcabber/poezio format, which should be easy to convert into whatever format you are using.
intosi
@Link Mauve not a terrible idea. No idea when I have time to look at that, but if you have them, might as well pop them over and we can see when to fill in the blanks.
moparisthebest
watch out, Link Mauve could have modified logs for his own nefarious purposes
Link Mauve
I’ll send March-September for this room, do you want any other room I’m in?
moparisthebest
:P
intosi
moparisthebest: a valid point
Link Mauve
Like council@.
Link Mauve
moparisthebest, indeed.
moparisthebest
what, I don't remember the board electing Link Mauve XMPP king for life back in march, oh well, it's in the logs
jonasw
I can send my logs, too
jonasw
same format :)
jonasw
we can diff the textual content and see if there’s anything wrong there
moparisthebest
only if we trust you two aren't colluding
jonasw
the order should be equivalent, just the timestamps can be fuzzy.
jcbrandhas left
SamWhited
I smell collusion.
jonasw
nevar!
Guus
as if we should trust the both of you not conspiring...
jonasw
I still have a grudge against Link Mauve for not delivering the XEP update he promised, so there’s no way we are colluding!!k :-)
intosi
I can toss in whatever I have logged in my own archive, and make an outright mess of things ;)
moparisthebest
jonasw, that's exactly what someone colluding would say
Ge0rG
I can conspi.. eh.. contribute logs in the same format.
Link Mauve
:o
jonasw
Link Mauve, just kidding :)
Link Mauve
I will never collude again with you then!
jonasw
"again"?
moparisthebest
can we vote members out?
Link Mauve
jonasw, aren’t we colluding right now?
efrithas joined
jonasw
I’m too confused at this point.
ralphm
I'll likely not make the board meeting today, sorry
Guus
With SCAM, I'd like to get the effort underway to organize FOSDEM'18 & the corresponding summit. I'd be grateful if people that were invovled in earlier events could help out (as I'm unsure where to start)
Guus
please find us in either the summit or scam MUC!
Valerianhas left
Guus
(but first: dinner! afk)
Ge0rG
summit dinner?
stefandxmhas left
tuxhas joined
nyco
Board meeting time
lumihas joined
Martin
Indeed
Martin
Who's around?
nyco
I'm here until :30
jonasw
I can take minutes
nyco
but "done is better than perfect"
and "stop starting, start finishing"
nyco
oops
nyco
https://trello.com/b/Dn6IQOu0/board-meetings
Martin
Getting a bit ahead of ourselves unless a third board member pipes up
nyco
few items
Archas joined
Arc
present.
Martin
Ah, splendid, we are 3
nyco
meh
Martin
Let's get started
nyco
go?
Martin
1. Roll call
nyco
gavel, are you here?
Martin
Myself, nyco, and Arc in attendance
Martin
2. Minutes. jonasw?
nyco
\m/
jonasw
yes
MattJ
Here
Martin
Ooh, a 4th, excellent
nyco
good!
sonnyhas joined
Martin
3. Topics for decisions. Only thing on Trello is the logo, which I think we okayed last week?
jcbrandhas joined
jonasw
yes you did
Martin
OK
Martin
4. Commitment list
Martin
4.1 Council & board elections
Martin
I saw an email went out about these, what else do we need to do?
dwd
Martin, Put your name down? :-)
nyco
nothing? agree? say goodbye or apply again?
Guus
Perhaps board could reach out to nonmembers
Martin
I guess I'm asking the more seasoned hands if the Board have anything specific we need to do at this point?
sonnyhas left
sonnyhas joined
dwd
Martin, First, ensure that Alex has done the job, which he has.
Arc
i'll apply again
dwd
Martin, Second, note it for the record.
la|r|mahas joined
Martin
Right, good, noted that Alex sent out the details to the members list. As Guus has mentioned, casting a wide net can't hurt.
Martin
5. Items for discussion
jonasw
again?
Martin
5.1 "Discuss renaming 'Draft' to 'Stable'
Martin
jonasw: Again what?
jonasw
aahhh
jonasw
I’m too stupid to discern "Discussion" and "decision"
jonasw
nevermind me
jonasw
(I thought we had "Topics for *discussion*" already, but it was "decision")
Martin
Mailing list ref: https://mail.jabber.org/pipermail/standards/2017-September/033441.html
sonnyhas left
sonnyhas joined
Martin
Any thoughts on this?
Arc
im not sure if we're the right body to decide this
Martin
I was wondering the same
dwd
Arc, You are, because changes to XEP-0001 (which this would be) are approved by Board.
lskdjfhas joined
nyco
"Recommandation", "Request For Comments": what does it mean?
nyco
what are the expected benefits of such a name change? for whom?
jonasw
nyco, I think this has been discussed in the standards@ thread
Martin
Yeah, there still seems to be a fair bit of discussion going on in the mailing list, might be worth seeing how that pans out
Arc
seems it, yes
Valerianhas joined
jonasw
the discussion has been stalled for more than one week
Guus
That discussion wasn't followed up on any longer.
Martin
Blame my inability to navigate mailing lists
jerehas joined
Arc
Guus: you're running for the board, right?
Guus
Did Council have a statement/
Guus
Am I?
Guus
I'm considering it, but I've got a bit much boards on my plate as it is :)
Arc
me too
Martin
OK, correct me if I'm mis-reading the ML thread, but there doesn't seem to be a consensus?
sonnyhas left
sonnyhas joined
Martin
So there's a discussion, and it seems to have come to a halt, but not to a conclusion...
Guus
I think the consensus was to not rename 'experimental' (but strive for XEPs to not linger in that state), but to rename 'draft'
dwd
Guus, I proposed the specific case of Draft => Stable, and even I'm not convinced that has genera agreement from people.
Guus
I'm under the impression that this was also discussed and agreed on by Council, but I'm not sure?
Guus
Okay, I might have misread/misinterpreted. I've not been able to keep up the pace the last few days.
efrithas left
dwd
Council didn't approve it; it decided to let discussion continue and see what the Board said.
Guus
So, what needs to happen for Board to decide either way?
efrithas joined
Guus
"further discussion" won't happen without incentive
Guus
dwd, I apologize for the confusion, I must have mixed up a few things.
Guus
I'll try to pay better attention next time :)
MattJ
I think the discussion has been too varied so far. Before I'd want to approve any change with a Board hat on, I'd rather see a very specific proposal backed by members
Martin
+1 to that MattJ
Arc
+1 to MattJ
dwdwas about to type roughly what MattJ said.
MattJ
I can post such a proposal to the list
nyco
+1 to dwd
Martin
Thanks MattJ
Guus
MattJ, please do
Martin
5.2 Outsource trademark license application decisions from board to separate WG
Martin
Did this come from you, Guus?
Guus
Nope. Ge0rG, I think
Martin
Mixing up my G's
tuxhas joined
Guus
We get that a lot.
Ge0rG
It was me.
Martin
Not much context around it on Trello. I created the card so I probably should've asked for more at the time.
jcbrandhas left
Ge0rG
Not a very serious proposal, just because board had such a long no-meeting time.
Martin
Are/were there applications that got held up?
jonasw
mine did
jonasw
by a week or so
jonasw
nothing urgent though
efrithas left
Martin
Feels like a sledgehammer to crack a nut, if the cliche translates.
jonasw
I tend to agree
Martin
OK, I'll archive it
Martin
Ok, let's bring this to a close.
Martin
6. AOBs?
Guus
Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?
nyco
nope
efrithas joined
Martin
My AOB is I won't be able to attend the next 3 board meetings due to holidays.
jubalhhas joined
Martin
7. Time & date of next, +1W?
waqashas left
MattJ
wfm
waqashas joined
Arc
good
waqashas left
waqashas joined
Martin
Right, think we're done. Thanks everyone.
nyco
+1w
Guus
Martin, Arc?
nyco
gotta go, thx, bye!
ralphm
Sorry again, guys.
Martin
Guus: I work for Surevine, my interest is in using federation to make systems that fit an organisation, not the other way around.
Guus
thanks. Arc?
ralphm
Ge0rG: not cool at all.
Martinhas left
Arc
Guus: ?
efrithas left
ralphm
Your oneliner for the record
efrithas joined
jonasw
16:31:51 Guus> Martin, Arc, where do you work, and what's your primary interest in XMPP,
in one or two lines?
jonasw
that’s the context I guess
Guus
yup
Guus
yeah, I've now ripped it from your last membership application.
Guus
bio PR in 3, 2, 1...
jjrhhas left
jjrhhas left
Guus
https://github.com/xsf/xmpp.org/pull/376
Ge0rGhas left
ralphmhas left
uchas joined
mimi89999has left
Guus
does martin have a github account?
Guus
ah, found it
mimi89999has left
ralphmhas left
Guus
Kev, you here by any chance?
jjrhhas left
jjrhhas left
jjrhhas left
Neustradamushas left
jjrhhas left
valohas left
valohas joined
bearhas left
Ge0rG
ralphm: pardon me please? What's not cool m
Ge0rG
s/m/?/
jubalhhas left
waqashas left
jcbrandhas joined
jjrhhas left
lskdjfhas joined
la|r|mahas joined
Arc
I won't be tricked into giving a bio :-P
Guus
Arc: please note that a bio has been provided none-the-less. :)
uchas joined
Arc
good, then its not autobio :-P
Guus
Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
jcbrandhas left
lskdjfhas joined
waqashas joined
waqashas left
jcbrandhas joined
jubalhhas joined
Yagizahas left
jubalhhas left
andrey.ghas joined
nycohas left
lskdjfhas joined
Tobiashas joined
valohas joined
Zashhas left
Flowhas joined
Guus
what's the name for this part in the domain name of a component? thispart.example.org ?
ralphm
label, I think
ralphm
But that's DNS terminology, not specific to XMPP
uchas joined
ralphm
In XMPP, other than for DNS resolution, the domain is opaque
SamWhited
There are three labels in that domain name though. I suspect Guus wants to refer specifically to the subdomain
ralphm
There's no intrinsic relation between example.org and sub.example.org
SamWhited
It's still common to need to refer to the sub. part though
which also caters for "top-level" domains like .co.uk somewhat
Valerianhas left
jonasw
(cc @ Guus)
Guus
Thanks (putting kids to bed now, afk)
jonasw
have fun
Guus
Also, ralphm : Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
Guus
Please elevate my permissions.
ralphm
I'm not near a device to easily do these things
moparisthebesthas joined
zinidhas left
bearhas joined
Tobiashas joined
uchas joined
Guus
in xmpp, component domains need not be subdomains of the xmpp domain?
Zash
Nope
Link Mauve
Nope.
Guus
wow. Pretty sure that that's not supported in any of our code
Link Mauve
Prosody special-cases those by advertising them in the disco#items of the “parent” domain, other servers may do similar things.
Zash
By convention
Link Mauve
Guus, by “your”, do you mean OF?
Guus
yeah, and Whack
Guus
the external component implementation that we have
uchas joined
Guus
Perhaps that's because I've always thought this way, but why would one not want an external component to be hierarchically under the xmpp domain? It's part of the same realm, no?
Link Mauve
Because there is no relation between them.
lumihas left
stefandxmhas joined
stefandxm
also think about PKI/certificates
stefandxm
in a decentralized sollution you need to have mulitple independant root certificates
stefandxm
(it is the sam argument as @Link Mauve says really, just a different angle)
nycohas left
Guus
does someone actually use addressing like that for external components?
Guus
working with my own stuff, i've obviously never seen it. Nor had or heard of the need.
Zash
Outside of the component protocol, it's just another JID
Link Mauve
Guus, at JabberFR we serve some 73 user domains, all of them share the same set of components to provide them nice additional features.
Guus
Cool
Guus
one of the many things to improve on, then
tim@boese-ban.dehas joined
debaclehas joined
Tobiashas joined
stefandxm
Guus, what do you mean? Multiple domains?
stefandxm
multiple domains without s2s?
stefandxm
or?
dwdhas left
Guus
stefandxm: Link already answered, but I was wondering if there were external components "in the wild" that really have an address that's not a subdomain of the (single) xmpp domain that they're connected to.
Guus
that's how I've always used them
dwdhas left
jubalhhas joined
Guus
I've been looking at our code - don't even think it would be to hard to change for Openfire - but then again, I wonder if it's worth the trouble
Valerianhas joined
stefandxm
we had it at my old job
stefandxm
we ran a hybrid cloud
stefandxm
our cloud was in cloud.companydomain.top
stefandxm
rather than company.cloud.top
stefandxm
it makes more sense securitywise when it comes to firewalls
stefandxm
its also very nice to use for onboarding
lskdjfhas joined
stefandxm
and not only firewalls but in general. because of certificates again
stefandxm
if you run xmpp.company.com
stefandxm
you can have a certificate that is linked to the company
stefandxm
how would you know to trust company.xmpphost.com ?
stefandxm
all you know is that you want to trust company.com
stefandxm
what is this xmpphost?
moparisthebest
company.xmpphost.com has a certificate valid for company.com, that's how
moparisthebest
or, DNSSEC
stefandxm
sure
stefandxm
my bad. its of course possible
stefandxm
albeit seen implementations not liking it
stefandxm
but that just buggy =)
stefandxm
but i still hold that xmpp.company.com makes more sense
moparisthebest
the name doesn't matter at all
moparisthebest
you validate the name in the cert
moparisthebest
it's actually more code to care whether it's a subdomain or not
stefandxm
its a dual side of the coin really
stefandxm
yeah
stefandxm
and in reality code is what makes everything works
stefandxm
lets say you have microsoft.knownfisher.com
stefandxm
will you like this certificate even if you would trust the PKI for the certificate alone?
stefandxm
its not trivial in reality. but i agree so i dont want to argue :)
stefandxm
However. I found out the buildscript issue
stefandxm
so know i updated http://opensource.clayster.com/lwtsd/Communications/lwtsd
waqashas joined
stefandxm
with "new" error management
stefandxm
ill send it in as an xep if there is enough people who thinks it is worth the work
Guushas left
Guushas left
jubalhhas joined
ralphmhas left
uchas joined
lskdjfhas joined
Tobiashas joined
valohas left
tim@boese-ban.dehas left
ralphmhas left
Ge0rGhas left
Tobiashas joined
Tobiashas joined
Ge0rGhas left
stefandxmhas left
valohas joined
valohas left
valohas joined
stefandxmhas joined
moparisthebest
so the call for experience on '368 ended yesterday, what's the procedure for a few clerical updates on a draft xep? do I just put in a PR or what?
moparisthebest
I suppose council votes or something?
Valerianhas left
uchas joined
valohas left
valohas joined
debaclehas joined
valohas left
valohas joined
valohas left
valohas joined
valohas left
Zashhas left
Zashhas left
waqashas left
waqashas joined
valohas joined
Tobiashas joined
lskdjfhas joined
jonasw
moparisthebest, ask me again tomorrow if nobody replies to you in the meantime
Alexhas left
stefandxmhas left
Tobiashas joined
jerehas joined
valohas left
valohas joined
pep.has joined
goffihas left
valohas left
valohas joined
jerehas left
jubalhhas left
lskdjfhas joined
Zashhas left
jerehas joined
Tobiashas joined
Valerianhas joined
ralphm
There's always room for textual changes for clarification and typos and such. A PR seems like a good start. Naturally it is up to the Editors to discuss with Council if a change meets the requirements in section 9.4 of XEP-0001: https://xmpp.org/extensions/xep-0001.html#states-Final
ralphm
moparisthebest: ^
moparisthebest
it's just more clarification and 1 change from SHOULD to MAY
moparisthebest
but yeal I'll put in a PR and go from there, thanks ralphm