XSF Discussion - 2017-10-04

  1. MattJ

    I don't think XEP-0156 security considerations go far enough

  2. MattJ

    DNS is insecure (in practice), and there is no requirement for the BOSH URL in DNS to match your login host

  3. MattJ

    So anyone with the ability to forge DNS for your domain can redirect XEP-0156-capable clients to any place they choose

  4. Zash

    -xep 156

  5. Bunneh

    Zash: XEP-0156: Discovering Alternative XMPP Connection Methods (Standards Track, Draft, 2016-06-07) See: https://xmpp.org/extensions/xep-0156.html

  6. Zash

    -xep dnssec

  7. Bunneh

    Zash: XEP-0344: Impact of TLS and DNSSEC on Dialback (Standards Track, Deferred, 2017-09-11) See: https://xmpp.org/extensions/xep-0344.html

  8. Flow

    MattJ: anyone with the ability for forge DNS for your domain can redirect clients to any place they choose

  9. MattJ

    and then you use TLS certificate verification to detect that

  10. MattJ

    and you don't go ahead with the connection

  11. Flow

    and that is not true for xep156?

  12. MattJ


  13. MattJ

    The XEP recommends using HTTPS, but this is not enough

  14. jonasw

    Flow, well, it is true, but the attacker can choose the name the client validates against :)

  15. MattJ

    the BOSH URL can be https://mitm.badguy.net/http-bind

  16. Flow

    jonasw: with BOSH you validate the cert not against the XMPP domain you want to connect to?

  17. MattJ

    As long as the bad guy knows how to use Let's Encrypt to get a cert for his own domain, everything will work fine

  18. Flow

    ahh ok

  19. MattJ

    BOSH is just HTTPS, it was designed to be used where only a HTTPS API was available

  20. Flow

    yep, in that case xep156 should eventually require DNSSEC

  21. Zash

    Like how DNSSEC-signed SRV records are an acceptable proof of delegation

  22. jonasw

    as if you could enforce that in a JS client.

  23. Link Mauve

    Another issue is that browsers don’t expose DNSSEC validation to the application.

  24. Link Mauve

    Hmm, no, that’s unrelated, the HTTP-based way in 0156 is fine, since it is done against the user’s domain.

  25. moparisthebest

    Ge0rG, so https://op-co.de/blog/posts/java_sslsocket_mitm/ "undisclosed Android application (contacted on 2014-07-21)" is it time to name it yet? :)

  26. Flow

    I had discloused the application back then. I think there where no commits since then

  27. Flow

    Uh, I was wrong, last commit is less then 22 months ago

  28. moparisthebest

    so which app?

  29. Ge0rG

    moparisthebest: I'm pretty sure it was Xabber.

  30. Flow

    Ge0rG: sure? I remember it was a different app

  31. Ge0rG

    Flow: I'll have a look at my mail archive some time later today

  32. moparisthebest

    either way 3 years was probably enough time to name them :)

  33. moparisthebest

    they've either fixed it or never will at this point

  34. Flow

    moparisthebest: there aren't that many xmpp clients for android which existed in 2014 and are not listed on the page

  35. Flow

    for example xabber is listed

  36. jonasw

    to quote from council@: 15:31:23 Tobias> we have logs again, thanks to whoever did that I can only +1 that :)

  37. jonasw

    even with the logs from the past

  38. intosi


  39. intosi

    The gap's there because we didn't log anything at all in that period.

  40. Guus blames intosi

  41. Guus

    ah, unfortunate timing of that message :)

  42. intosi

    * the six month gap between mid March and September.

  43. jonasw


  44. jonasw

    I didn’t see that :)

  45. jonasw

    still amazing :)

  46. jonasw

    but at least from mid sept, that’s already good

  47. intosi

    Anything before The Event might not be there, even though the page claims it's there. It's a bit hit and miss.

  48. intosi

    Yet, didn't want to prune it.

  49. Link Mauve

    Want me to fill the logs I obtained during that time?

  50. Link Mauve

    They are in the mcabber/poezio format, which should be easy to convert into whatever format you are using.

  51. intosi

    @Link Mauve not a terrible idea. No idea when I have time to look at that, but if you have them, might as well pop them over and we can see when to fill in the blanks.

  52. moparisthebest

    watch out, Link Mauve could have modified logs for his own nefarious purposes

  53. Link Mauve

    I’ll send March-September for this room, do you want any other room I’m in?

  54. moparisthebest


  55. intosi

    moparisthebest: a valid point

  56. Link Mauve

    Like council@.

  57. Link Mauve

    moparisthebest, indeed.

  58. moparisthebest

    what, I don't remember the board electing Link Mauve XMPP king for life back in march, oh well, it's in the logs

  59. jonasw

    I can send my logs, too

  60. jonasw

    same format :)

  61. jonasw

    we can diff the textual content and see if there’s anything wrong there

  62. moparisthebest

    only if we trust you two aren't colluding

  63. jonasw

    the order should be equivalent, just the timestamps can be fuzzy.

  64. SamWhited

    I smell collusion.

  65. jonasw


  66. Guus

    as if we should trust the both of you not conspiring...

  67. jonasw

    I still have a grudge against Link Mauve for not delivering the XEP update he promised, so there’s no way we are colluding!!k :-)

  68. intosi

    I can toss in whatever I have logged in my own archive, and make an outright mess of things ;)

  69. moparisthebest

    jonasw, that's exactly what someone colluding would say

  70. Ge0rG

    I can conspi.. eh.. contribute logs in the same format.

  71. Link Mauve


  72. jonasw

    Link Mauve, just kidding :)

  73. Link Mauve

    I will never collude again with you then!

  74. jonasw


  75. moparisthebest

    can we vote members out?

  76. Link Mauve

    jonasw, aren’t we colluding right now?

  77. jonasw

    I’m too confused at this point.

  78. ralphm

    I'll likely not make the board meeting today, sorry

  79. Guus

    With SCAM, I'd like to get the effort underway to organize FOSDEM'18 & the corresponding summit. I'd be grateful if people that were invovled in earlier events could help out (as I'm unsure where to start)

  80. Guus

    please find us in either the summit or scam MUC!

  81. Guus

    (but first: dinner! afk)

  82. Ge0rG

    summit dinner?

  83. nyco

    Board meeting time

  84. Martin


  85. Martin

    Who's around?

  86. nyco

    I'm here until :30

  87. jonasw

    I can take minutes

  88. nyco

    but "done is better than perfect" and "stop starting, start finishing"

  89. nyco


  90. nyco


  91. Martin

    Getting a bit ahead of ourselves unless a third board member pipes up

  92. nyco

    few items

  93. Arc


  94. Martin

    Ah, splendid, we are 3

  95. nyco


  96. Martin

    Let's get started

  97. nyco


  98. Martin

    1. Roll call

  99. nyco

    gavel, are you here?

  100. Martin

    Myself, nyco, and Arc in attendance

  101. Martin

    2. Minutes. jonasw?

  102. nyco


  103. jonasw


  104. MattJ


  105. Martin

    Ooh, a 4th, excellent

  106. nyco


  107. Martin

    3. Topics for decisions. Only thing on Trello is the logo, which I think we okayed last week?

  108. jonasw

    yes you did

  109. Martin


  110. Martin

    4. Commitment list

  111. Martin

    4.1 Council & board elections

  112. Martin

    I saw an email went out about these, what else do we need to do?

  113. dwd

    Martin, Put your name down? :-)

  114. nyco

    nothing? agree? say goodbye or apply again?

  115. Guus

    Perhaps board could reach out to nonmembers

  116. Martin

    I guess I'm asking the more seasoned hands if the Board have anything specific we need to do at this point?

  117. dwd

    Martin, First, ensure that Alex has done the job, which he has.

  118. Arc

    i'll apply again

  119. dwd

    Martin, Second, note it for the record.

  120. Martin

    Right, good, noted that Alex sent out the details to the members list. As Guus has mentioned, casting a wide net can't hurt.

  121. Martin

    5. Items for discussion

  122. jonasw


  123. Martin

    5.1 "Discuss renaming 'Draft' to 'Stable'

  124. Martin

    jonasw: Again what?

  125. jonasw


  126. jonasw

    I’m too stupid to discern "Discussion" and "decision"

  127. jonasw

    nevermind me

  128. jonasw

    (I thought we had "Topics for *discussion*" already, but it was "decision")

  129. Martin

    Mailing list ref: https://mail.jabber.org/pipermail/standards/2017-September/033441.html

  130. Martin

    Any thoughts on this?

  131. Arc

    im not sure if we're the right body to decide this

  132. Martin

    I was wondering the same

  133. dwd

    Arc, You are, because changes to XEP-0001 (which this would be) are approved by Board.

  134. nyco

    "Recommandation", "Request For Comments": what does it mean?

  135. nyco

    what are the expected benefits of such a name change? for whom?

  136. jonasw

    nyco, I think this has been discussed in the standards@ thread

  137. Martin

    Yeah, there still seems to be a fair bit of discussion going on in the mailing list, might be worth seeing how that pans out

  138. Arc

    seems it, yes

  139. jonasw

    the discussion has been stalled for more than one week

  140. Guus

    That discussion wasn't followed up on any longer.

  141. Martin

    Blame my inability to navigate mailing lists

  142. Arc

    Guus: you're running for the board, right?

  143. Guus

    Did Council have a statement/

  144. Guus

    Am I?

  145. Guus

    I'm considering it, but I've got a bit much boards on my plate as it is :)

  146. Arc

    me too

  147. Martin

    OK, correct me if I'm mis-reading the ML thread, but there doesn't seem to be a consensus?

  148. Martin

    So there's a discussion, and it seems to have come to a halt, but not to a conclusion...

  149. Guus

    I think the consensus was to not rename 'experimental' (but strive for XEPs to not linger in that state), but to rename 'draft'

  150. dwd

    Guus, I proposed the specific case of Draft => Stable, and even I'm not convinced that has genera agreement from people.

  151. Guus

    I'm under the impression that this was also discussed and agreed on by Council, but I'm not sure?

  152. Guus

    Okay, I might have misread/misinterpreted. I've not been able to keep up the pace the last few days.

  153. dwd

    Council didn't approve it; it decided to let discussion continue and see what the Board said.

  154. Guus

    So, what needs to happen for Board to decide either way?

  155. Guus

    "further discussion" won't happen without incentive

  156. Guus

    dwd, I apologize for the confusion, I must have mixed up a few things.

  157. Guus

    I'll try to pay better attention next time :)

  158. MattJ

    I think the discussion has been too varied so far. Before I'd want to approve any change with a Board hat on, I'd rather see a very specific proposal backed by members

  159. Martin

    +1 to that MattJ

  160. Arc

    +1 to MattJ

  161. dwd was about to type roughly what MattJ said.

  162. MattJ

    I can post such a proposal to the list

  163. nyco

    +1 to dwd

  164. Martin

    Thanks MattJ

  165. Guus

    MattJ, please do

  166. Martin

    5.2 Outsource trademark license application decisions from board to separate WG

  167. Martin

    Did this come from you, Guus?

  168. Guus

    Nope. Ge0rG, I think

  169. Martin

    Mixing up my G's

  170. Guus

    We get that a lot.

  171. Ge0rG

    It was me.

  172. Martin

    Not much context around it on Trello. I created the card so I probably should've asked for more at the time.

  173. Ge0rG

    Not a very serious proposal, just because board had such a long no-meeting time.

  174. Martin

    Are/were there applications that got held up?

  175. jonasw

    mine did

  176. jonasw

    by a week or so

  177. jonasw

    nothing urgent though

  178. Martin

    Feels like a sledgehammer to crack a nut, if the cliche translates.

  179. jonasw

    I tend to agree

  180. Martin

    OK, I'll archive it

  181. Martin

    Ok, let's bring this to a close.

  182. Martin

    6. AOBs?

  183. Guus

    Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?

  184. nyco


  185. Martin

    My AOB is I won't be able to attend the next 3 board meetings due to holidays.

  186. Martin

    7. Time & date of next, +1W?

  187. MattJ


  188. Arc


  189. Martin

    Right, think we're done. Thanks everyone.

  190. nyco


  191. Guus

    Martin, Arc?

  192. nyco

    gotta go, thx, bye!

  193. ralphm

    Sorry again, guys.

  194. Martin

    Guus: I work for Surevine, my interest is in using federation to make systems that fit an organisation, not the other way around.

  195. Guus

    thanks. Arc?

  196. ralphm

    Ge0rG: not cool at all.

  197. Arc

    Guus: ?

  198. ralphm

    Your oneliner for the record

  199. jonasw

    16:31:51 Guus> Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?

  200. jonasw

    that’s the context I guess

  201. Guus


  202. Guus

    yeah, I've now ripped it from your last membership application.

  203. Guus

    bio PR in 3, 2, 1...

  204. Guus


  205. Guus

    does martin have a github account?

  206. Guus

    ah, found it

  207. Guus

    Kev, you here by any chance?

  208. Ge0rG

    ralphm: pardon me please? What's not cool m

  209. Ge0rG


  210. Arc

    I won't be tricked into giving a bio :-P

  211. Guus

    Arc: please note that a bio has been provided none-the-less. :)

  212. Arc

    good, then its not autobio :-P

  213. Guus

    Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).

  214. Guus

    what's the name for this part in the domain name of a component? thispart.example.org ?

  215. ralphm

    label, I think

  216. ralphm

    But that's DNS terminology, not specific to XMPP

  217. ralphm

    In XMPP, other than for DNS resolution, the domain is opaque

  218. SamWhited

    There are three labels in that domain name though. I suspect Guus wants to refer specifically to the subdomain

  219. ralphm

    There's no intrinsic relation between example.org and sub.example.org

  220. SamWhited

    It's still common to need to refer to the sub. part though

  221. Zash

    "fully qualified"?

  222. ralphm

    That is nothing more than convention

  223. ralphm

    The whole thing is fqdn, sure

  224. ralphm

    The leftmost part is then a hostname

  225. Zash

    Not sure if fqdn is a well-defined term tho

  226. ralphm

    Totally is

  227. ralphm


  228. jonasw

    the common term is third-level domain

  229. jonasw

    which also caters for "top-level" domains like .co.uk somewhat

  230. jonasw

    (cc @ Guus)

  231. Guus

    Thanks (putting kids to bed now, afk)

  232. jonasw

    have fun

  233. Guus

    Also, ralphm : Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).

  234. Guus

    Please elevate my permissions.

  235. ralphm

    I'm not near a device to easily do these things

  236. Guus

    in xmpp, component domains need not be subdomains of the xmpp domain?

  237. Zash


  238. Link Mauve


  239. Guus

    wow. Pretty sure that that's not supported in any of our code

  240. Link Mauve

    Prosody special-cases those by advertising them in the disco#items of the “parent” domain, other servers may do similar things.

  241. Zash

    By convention

  242. Link Mauve

    Guus, by “your”, do you mean OF?

  243. Guus

    yeah, and Whack

  244. Guus

    the external component implementation that we have

  245. Guus

    Perhaps that's because I've always thought this way, but why would one not want an external component to be hierarchically under the xmpp domain? It's part of the same realm, no?

  246. Link Mauve

    Because there is no relation between them.

  247. stefandxm

    also think about PKI/certificates

  248. stefandxm

    in a decentralized sollution you need to have mulitple independant root certificates

  249. stefandxm

    (it is the sam argument as @Link Mauve says really, just a different angle)

  250. Guus

    does someone actually use addressing like that for external components?

  251. Guus

    working with my own stuff, i've obviously never seen it. Nor had or heard of the need.

  252. Zash

    Outside of the component protocol, it's just another JID

  253. Link Mauve

    Guus, at JabberFR we serve some 73 user domains, all of them share the same set of components to provide them nice additional features.

  254. Guus


  255. Guus

    one of the many things to improve on, then

  256. stefandxm

    Guus, what do you mean? Multiple domains?

  257. stefandxm

    multiple domains without s2s?

  258. stefandxm


  259. Guus

    stefandxm: Link already answered, but I was wondering if there were external components "in the wild" that really have an address that's not a subdomain of the (single) xmpp domain that they're connected to.

  260. Guus

    that's how I've always used them

  261. Guus

    I've been looking at our code - don't even think it would be to hard to change for Openfire - but then again, I wonder if it's worth the trouble

  262. stefandxm

    we had it at my old job

  263. stefandxm

    we ran a hybrid cloud

  264. stefandxm

    our cloud was in cloud.companydomain.top

  265. stefandxm

    rather than company.cloud.top

  266. stefandxm

    it makes more sense securitywise when it comes to firewalls

  267. stefandxm

    its also very nice to use for onboarding

  268. stefandxm

    and not only firewalls but in general. because of certificates again

  269. stefandxm

    if you run xmpp.company.com

  270. stefandxm

    you can have a certificate that is linked to the company

  271. stefandxm

    how would you know to trust company.xmpphost.com ?

  272. stefandxm

    all you know is that you want to trust company.com

  273. stefandxm

    what is this xmpphost?

  274. moparisthebest

    company.xmpphost.com has a certificate valid for company.com, that's how

  275. moparisthebest

    or, DNSSEC

  276. stefandxm


  277. stefandxm

    my bad. its of course possible

  278. stefandxm

    albeit seen implementations not liking it

  279. stefandxm

    but that just buggy =)

  280. stefandxm

    but i still hold that xmpp.company.com makes more sense

  281. moparisthebest

    the name doesn't matter at all

  282. moparisthebest

    you validate the name in the cert

  283. moparisthebest

    it's actually more code to care whether it's a subdomain or not

  284. stefandxm

    its a dual side of the coin really

  285. stefandxm


  286. stefandxm

    and in reality code is what makes everything works

  287. stefandxm

    lets say you have microsoft.knownfisher.com

  288. stefandxm

    will you like this certificate even if you would trust the PKI for the certificate alone?

  289. stefandxm

    its not trivial in reality. but i agree so i dont want to argue :)

  290. stefandxm

    However. I found out the buildscript issue

  291. stefandxm

    so know i updated http://opensource.clayster.com/lwtsd/Communications/lwtsd

  292. stefandxm

    with "new" error management

  293. stefandxm

    ill send it in as an xep if there is enough people who thinks it is worth the work

  294. moparisthebest

    so the call for experience on '368 ended yesterday, what's the procedure for a few clerical updates on a draft xep? do I just put in a PR or what?

  295. moparisthebest

    I suppose council votes or something?

  296. jonasw

    moparisthebest, ask me again tomorrow if nobody replies to you in the meantime

  297. ralphm

    There's always room for textual changes for clarification and typos and such. A PR seems like a good start. Naturally it is up to the Editors to discuss with Council if a change meets the requirements in section 9.4 of XEP-0001: https://xmpp.org/extensions/xep-0001.html#states-Final

  298. ralphm

    moparisthebest: ^

  299. moparisthebest

    it's just more clarification and 1 change from SHOULD to MAY

  300. moparisthebest

    but yeal I'll put in a PR and go from there, thanks ralphm