BunnehZash: XEP-0344: Impact of TLS and DNSSEC on Dialback (Standards Track, Deferred, 2017-09-11)
See: https://xmpp.org/extensions/xep-0344.html
jerehas left
jerehas joined
FlowMattJ: anyone with the ability for forge DNS for your domain can redirect clients to any place they choose
MattJand then you use TLS certificate verification to detect that
MattJand you don't go ahead with the connection
Flowand that is not true for xep156?
MattJNo
MattJThe XEP recommends using HTTPS, but this is not enough
jonaswFlow, well, it is true, but the attacker can choose the name the client validates against :)
MattJthe BOSH URL can be https://mitm.badguy.net/http-bind
Flowjonasw: with BOSH you validate the cert not against the XMPP domain you want to connect to?
MattJAs long as the bad guy knows how to use Let's Encrypt to get a cert for his own domain, everything will work fine
Flowahh ok
MattJBOSH is just HTTPS, it was designed to be used where only a HTTPS API was available
Flowyep, in that case xep156 should eventually require DNSSEC
ZashLike how DNSSEC-signed SRV records are an acceptable proof of delegation
jonaswas if you could enforce that in a JS client.
Link MauveAnother issue is that browsers don’t expose DNSSEC validation to the application.
moparisthebesthas joined
Link MauveHmm, no, that’s unrelated, the HTTP-based way in 0156 is fine, since it is done against the user’s domain.
moparisthebesthas joined
lumihas joined
Alexhas left
jcbrandhas left
uchas joined
jcbrandhas joined
zinidhas left
lumihas joined
ralphmhas joined
jubalhhas joined
Valerianhas joined
la|r|mahas joined
jubalhhas left
jubalhhas joined
jcbrandhas left
Alexhas joined
Bunnehhas left
Guushas left
Martinhas left
Martinhas joined
Bunnehhas joined
jubalhhas joined
waqashas joined
Guushas left
danielhas left
moparisthebestGe0rG, so https://op-co.de/blog/posts/java_sslsocket_mitm/ "undisclosed Android application (contacted on 2014-07-21)" is it time to name it yet? :)
FlowI had discloused the application back then. I think there where no commits since then
FlowUh, I was wrong, last commit is less then 22 months ago
moparisthebestso which app?
Ge0rGmoparisthebest: I'm pretty sure it was Xabber.
andrey.ghas left
FlowGe0rG: sure? I remember it was a different app
Ge0rGFlow: I'll have a look at my mail archive some time later today
andrey.ghas joined
moparisthebesteither way 3 years was probably enough time to name them :)
moparisthebestthey've either fixed it or never will at this point
andrey.ghas joined
Flowmoparisthebest: there aren't that many xmpp clients for android which existed in 2014 and are not listed on the page
Flowfor example xabber is listed
SamWhitedhas left
andrey.ghas joined
mimi89999has left
andrey.ghas joined
andrey.ghas joined
uchas joined
andrey.ghas joined
andrey.ghas joined
la|r|mahas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
andrey.ghas joined
Kevhas left
ralphmhas left
Wiktorhas joined
ralphmhas left
jubalhhas joined
waqashas left
tuxhas left
uchas joined
waqashas joined
sonnyhas joined
sonnyhas joined
Tobiashas left
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
dwdhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
la|r|mahas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
matlaghas joined
waqashas left
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
waqashas joined
sonnyhas left
sonnyhas joined
jonaswto quote from council@:
15:31:23 Tobias> we have logs again, thanks to whoever did that
I can only +1 that :)
jonasweven with the logs from the past
intosi:)
la|r|mahas joined
intosiThe gap's there because we didn't log anything at all in that period.
Guusblames intosi
Guusah, unfortunate timing of that message :)
intosi* the six month gap between mid March and September.
jonaswohh
jonaswI didn’t see that :)
jonaswstill amazing :)
jonaswbut at least from mid sept, that’s already good
intosiAnything before The Event might not be there, even though the page claims it's there. It's a bit hit and miss.
intosiYet, didn't want to prune it.
Link MauveWant me to fill the logs I obtained during that time?
Link MauveThey are in the mcabber/poezio format, which should be easy to convert into whatever format you are using.
intosi@Link Mauve not a terrible idea. No idea when I have time to look at that, but if you have them, might as well pop them over and we can see when to fill in the blanks.
moparisthebestwatch out, Link Mauve could have modified logs for his own nefarious purposes
Link MauveI’ll send March-September for this room, do you want any other room I’m in?
moparisthebest:P
intosimoparisthebest: a valid point
Link MauveLike council@.
Link Mauvemoparisthebest, indeed.
moparisthebestwhat, I don't remember the board electing Link Mauve XMPP king for life back in march, oh well, it's in the logs
jonaswI can send my logs, too
jonaswsame format :)
jonaswwe can diff the textual content and see if there’s anything wrong there
moparisthebestonly if we trust you two aren't colluding
jonaswthe order should be equivalent, just the timestamps can be fuzzy.
jcbrandhas left
SamWhitedI smell collusion.
jonaswnevar!
Guusas if we should trust the both of you not conspiring...
jonaswI still have a grudge against Link Mauve for not delivering the XEP update he promised, so there’s no way we are colluding!!k :-)
intosiI can toss in whatever I have logged in my own archive, and make an outright mess of things ;)
moparisthebestjonasw, that's exactly what someone colluding would say
Ge0rGI can conspi.. eh.. contribute logs in the same format.
Link Mauve:o
jonaswLink Mauve, just kidding :)
Link MauveI will never collude again with you then!
jonasw"again"?
moparisthebestcan we vote members out?
Link Mauvejonasw, aren’t we colluding right now?
efrithas joined
jonaswI’m too confused at this point.
ralphmI'll likely not make the board meeting today, sorry
GuusWith SCAM, I'd like to get the effort underway to organize FOSDEM'18 & the corresponding summit. I'd be grateful if people that were invovled in earlier events could help out (as I'm unsure where to start)
Guusplease find us in either the summit or scam MUC!
Valerianhas left
Guus(but first: dinner! afk)
Ge0rGsummit dinner?
stefandxmhas left
tuxhas joined
nycoBoard meeting time
lumihas joined
MartinIndeed
MartinWho's around?
nycoI'm here until :30
jonaswI can take minutes
nycobut "done is better than perfect"
and "stop starting, start finishing"
nycooops
nycohttps://trello.com/b/Dn6IQOu0/board-meetings
MartinGetting a bit ahead of ourselves unless a third board member pipes up
nycofew items
Archas joined
Arcpresent.
MartinAh, splendid, we are 3
nycomeh
MartinLet's get started
nycogo?
Martin1. Roll call
nycogavel, are you here?
MartinMyself, nyco, and Arc in attendance
Martin2. Minutes. jonasw?
nyco\m/
jonaswyes
MattJHere
MartinOoh, a 4th, excellent
nycogood!
sonnyhas joined
Martin3. Topics for decisions. Only thing on Trello is the logo, which I think we okayed last week?
jcbrandhas joined
jonaswyes you did
MartinOK
Martin4. Commitment list
Martin4.1 Council & board elections
MartinI saw an email went out about these, what else do we need to do?
dwdMartin, Put your name down? :-)
nyconothing? agree? say goodbye or apply again?
GuusPerhaps board could reach out to nonmembers
MartinI guess I'm asking the more seasoned hands if the Board have anything specific we need to do at this point?
sonnyhas left
sonnyhas joined
dwdMartin, First, ensure that Alex has done the job, which he has.
Arci'll apply again
dwdMartin, Second, note it for the record.
la|r|mahas joined
MartinRight, good, noted that Alex sent out the details to the members list. As Guus has mentioned, casting a wide net can't hurt.
Martin5. Items for discussion
jonaswagain?
Martin5.1 "Discuss renaming 'Draft' to 'Stable'
Martinjonasw: Again what?
jonaswaahhh
jonaswI’m too stupid to discern "Discussion" and "decision"
jonaswnevermind me
jonasw(I thought we had "Topics for *discussion*" already, but it was "decision")
MartinMailing list ref: https://mail.jabber.org/pipermail/standards/2017-September/033441.html
sonnyhas left
sonnyhas joined
MartinAny thoughts on this?
Arcim not sure if we're the right body to decide this
MartinI was wondering the same
dwdArc, You are, because changes to XEP-0001 (which this would be) are approved by Board.
lskdjfhas joined
nyco"Recommandation", "Request For Comments": what does it mean?
nycowhat are the expected benefits of such a name change? for whom?
jonaswnyco, I think this has been discussed in the standards@ thread
MartinYeah, there still seems to be a fair bit of discussion going on in the mailing list, might be worth seeing how that pans out
Arcseems it, yes
Valerianhas joined
jonaswthe discussion has been stalled for more than one week
GuusThat discussion wasn't followed up on any longer.
MartinBlame my inability to navigate mailing lists
jerehas joined
ArcGuus: you're running for the board, right?
GuusDid Council have a statement/
GuusAm I?
GuusI'm considering it, but I've got a bit much boards on my plate as it is :)
Arcme too
MartinOK, correct me if I'm mis-reading the ML thread, but there doesn't seem to be a consensus?
sonnyhas left
sonnyhas joined
MartinSo there's a discussion, and it seems to have come to a halt, but not to a conclusion...
GuusI think the consensus was to not rename 'experimental' (but strive for XEPs to not linger in that state), but to rename 'draft'
dwdGuus, I proposed the specific case of Draft => Stable, and even I'm not convinced that has genera agreement from people.
GuusI'm under the impression that this was also discussed and agreed on by Council, but I'm not sure?
GuusOkay, I might have misread/misinterpreted. I've not been able to keep up the pace the last few days.
efrithas left
dwdCouncil didn't approve it; it decided to let discussion continue and see what the Board said.
GuusSo, what needs to happen for Board to decide either way?
efrithas joined
Guus"further discussion" won't happen without incentive
Guusdwd, I apologize for the confusion, I must have mixed up a few things.
GuusI'll try to pay better attention next time :)
MattJI think the discussion has been too varied so far. Before I'd want to approve any change with a Board hat on, I'd rather see a very specific proposal backed by members
Martin+1 to that MattJ
Arc+1 to MattJ
dwdwas about to type roughly what MattJ said.
MattJI can post such a proposal to the list
nyco+1 to dwd
MartinThanks MattJ
GuusMattJ, please do
Martin5.2 Outsource trademark license application decisions from board to separate WG
MartinDid this come from you, Guus?
GuusNope. Ge0rG, I think
MartinMixing up my G's
tuxhas joined
GuusWe get that a lot.
Ge0rGIt was me.
MartinNot much context around it on Trello. I created the card so I probably should've asked for more at the time.
jcbrandhas left
Ge0rGNot a very serious proposal, just because board had such a long no-meeting time.
MartinAre/were there applications that got held up?
jonaswmine did
jonaswby a week or so
jonaswnothing urgent though
efrithas left
MartinFeels like a sledgehammer to crack a nut, if the cliche translates.
jonaswI tend to agree
MartinOK, I'll archive it
MartinOk, let's bring this to a close.
Martin6. AOBs?
GuusMartin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?
nyconope
efrithas joined
MartinMy AOB is I won't be able to attend the next 3 board meetings due to holidays.
jubalhhas joined
Martin7. Time & date of next, +1W?
waqashas left
MattJwfm
waqashas joined
Arcgood
waqashas left
waqashas joined
MartinRight, think we're done. Thanks everyone.
nyco+1w
GuusMartin, Arc?
nycogotta go, thx, bye!
ralphmSorry again, guys.
MartinGuus: I work for Surevine, my interest is in using federation to make systems that fit an organisation, not the other way around.
Guusthanks. Arc?
ralphmGe0rG: not cool at all.
Martinhas left
ArcGuus: ?
efrithas left
ralphmYour oneliner for the record
efrithas joined
jonasw16:31:51 Guus> Martin, Arc, where do you work, and what's your primary interest in XMPP,
in one or two lines?
jonaswthat’s the context I guess
Guusyup
Guusyeah, I've now ripped it from your last membership application.
Guusbio PR in 3, 2, 1...
jjrhhas left
jjrhhas left
Guushttps://github.com/xsf/xmpp.org/pull/376
Ge0rGhas left
ralphmhas left
uchas joined
mimi89999has left
Guusdoes martin have a github account?
Guusah, found it
mimi89999has left
ralphmhas left
GuusKev, you here by any chance?
jjrhhas left
jjrhhas left
jjrhhas left
Neustradamushas left
jjrhhas left
valohas left
valohas joined
bearhas left
Ge0rGralphm: pardon me please? What's not cool m
Ge0rGs/m/?/
jubalhhas left
waqashas left
jcbrandhas joined
jjrhhas left
lskdjfhas joined
la|r|mahas joined
ArcI won't be tricked into giving a bio :-P
GuusArc: please note that a bio has been provided none-the-less. :)
uchas joined
Arcgood, then its not autobio :-P
GuusKev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
jcbrandhas left
lskdjfhas joined
waqashas joined
waqashas left
jcbrandhas joined
jubalhhas joined
Yagizahas left
jubalhhas left
andrey.ghas joined
nycohas left
lskdjfhas joined
Tobiashas joined
valohas joined
Zashhas left
Flowhas joined
Guuswhat's the name for this part in the domain name of a component? thispart.example.org ?
ralphmlabel, I think
ralphmBut that's DNS terminology, not specific to XMPP
uchas joined
ralphmIn XMPP, other than for DNS resolution, the domain is opaque
SamWhitedThere are three labels in that domain name though. I suspect Guus wants to refer specifically to the subdomain
ralphmThere's no intrinsic relation between example.org and sub.example.org
SamWhitedIt's still common to need to refer to the sub. part though
jonaswwhich also caters for "top-level" domains like .co.uk somewhat
Valerianhas left
jonasw(cc @ Guus)
GuusThanks (putting kids to bed now, afk)
jonaswhave fun
GuusAlso, ralphm : Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
GuusPlease elevate my permissions.
ralphmI'm not near a device to easily do these things
moparisthebesthas joined
zinidhas left
bearhas joined
Tobiashas joined
uchas joined
Guusin xmpp, component domains need not be subdomains of the xmpp domain?
ZashNope
Link MauveNope.
Guuswow. Pretty sure that that's not supported in any of our code
Link MauveProsody special-cases those by advertising them in the disco#items of the “parent” domain, other servers may do similar things.
ZashBy convention
Link MauveGuus, by “your”, do you mean OF?
Guusyeah, and Whack
Guusthe external component implementation that we have
uchas joined
GuusPerhaps that's because I've always thought this way, but why would one not want an external component to be hierarchically under the xmpp domain? It's part of the same realm, no?
Link MauveBecause there is no relation between them.
lumihas left
stefandxmhas joined
stefandxmalso think about PKI/certificates
stefandxmin a decentralized sollution you need to have mulitple independant root certificates
stefandxm(it is the sam argument as @Link Mauve says really, just a different angle)
nycohas left
Guusdoes someone actually use addressing like that for external components?
Guusworking with my own stuff, i've obviously never seen it. Nor had or heard of the need.
ZashOutside of the component protocol, it's just another JID
Link MauveGuus, at JabberFR we serve some 73 user domains, all of them share the same set of components to provide them nice additional features.
GuusCool
Guusone of the many things to improve on, then
tim@boese-ban.dehas joined
debaclehas joined
Tobiashas joined
stefandxmGuus, what do you mean? Multiple domains?
stefandxmmultiple domains without s2s?
stefandxmor?
dwdhas left
Guusstefandxm: Link already answered, but I was wondering if there were external components "in the wild" that really have an address that's not a subdomain of the (single) xmpp domain that they're connected to.
Guusthat's how I've always used them
dwdhas left
jubalhhas joined
GuusI've been looking at our code - don't even think it would be to hard to change for Openfire - but then again, I wonder if it's worth the trouble
Valerianhas joined
stefandxmwe had it at my old job
stefandxmwe ran a hybrid cloud
stefandxmour cloud was in cloud.companydomain.top
stefandxmrather than company.cloud.top
stefandxmit makes more sense securitywise when it comes to firewalls
stefandxmits also very nice to use for onboarding
lskdjfhas joined
stefandxmand not only firewalls but in general. because of certificates again
stefandxmif you run xmpp.company.com
stefandxmyou can have a certificate that is linked to the company
stefandxmhow would you know to trust company.xmpphost.com ?
stefandxmall you know is that you want to trust company.com
stefandxmwhat is this xmpphost?
moparisthebestcompany.xmpphost.com has a certificate valid for company.com, that's how
moparisthebestor, DNSSEC
stefandxmsure
stefandxmmy bad. its of course possible
stefandxmalbeit seen implementations not liking it
stefandxmbut that just buggy =)
stefandxmbut i still hold that xmpp.company.com makes more sense
moparisthebestthe name doesn't matter at all
moparisthebestyou validate the name in the cert
moparisthebestit's actually more code to care whether it's a subdomain or not
stefandxmits a dual side of the coin really
stefandxmyeah
stefandxmand in reality code is what makes everything works
stefandxmlets say you have microsoft.knownfisher.com
stefandxmwill you like this certificate even if you would trust the PKI for the certificate alone?
stefandxmits not trivial in reality. but i agree so i dont want to argue :)
stefandxmHowever. I found out the buildscript issue
stefandxmso know i updated http://opensource.clayster.com/lwtsd/Communications/lwtsd
waqashas joined
stefandxmwith "new" error management
stefandxmill send it in as an xep if there is enough people who thinks it is worth the work
Guushas left
Guushas left
jubalhhas joined
ralphmhas left
uchas joined
lskdjfhas joined
Tobiashas joined
valohas left
tim@boese-ban.dehas left
ralphmhas left
Ge0rGhas left
Tobiashas joined
Tobiashas joined
Ge0rGhas left
stefandxmhas left
valohas joined
valohas left
valohas joined
stefandxmhas joined
moparisthebestso the call for experience on '368 ended yesterday, what's the procedure for a few clerical updates on a draft xep? do I just put in a PR or what?
moparisthebestI suppose council votes or something?
Valerianhas left
uchas joined
valohas left
valohas joined
debaclehas joined
valohas left
valohas joined
valohas left
valohas joined
valohas left
Zashhas left
Zashhas left
waqashas left
waqashas joined
valohas joined
Tobiashas joined
lskdjfhas joined
jonaswmoparisthebest, ask me again tomorrow if nobody replies to you in the meantime
Alexhas left
stefandxmhas left
Tobiashas joined
jerehas joined
valohas left
valohas joined
pep.has joined
goffihas left
valohas left
valohas joined
jerehas left
jubalhhas left
lskdjfhas joined
Zashhas left
jerehas joined
Tobiashas joined
Valerianhas joined
ralphmThere's always room for textual changes for clarification and typos and such. A PR seems like a good start. Naturally it is up to the Editors to discuss with Council if a change meets the requirements in section 9.4 of XEP-0001: https://xmpp.org/extensions/xep-0001.html#states-Final
ralphmmoparisthebest: ^
moparisthebestit's just more clarification and 1 change from SHOULD to MAY
moparisthebestbut yeal I'll put in a PR and go from there, thanks ralphm
XSF Discussion - 2017-10-04