-
MattJ
I don't think XEP-0156 security considerations go far enough
-
MattJ
DNS is insecure (in practice), and there is no requirement for the BOSH URL in DNS to match your login host
-
MattJ
So anyone with the ability to forge DNS for your domain can redirect XEP-0156-capable clients to any place they choose
-
Zash
-xep 156
-
Bunneh
Zash: XEP-0156: Discovering Alternative XMPP Connection Methods (Standards Track, Draft, 2016-06-07) See: https://xmpp.org/extensions/xep-0156.html
-
Zash
-xep dnssec
-
Bunneh
Zash: XEP-0344: Impact of TLS and DNSSEC on Dialback (Standards Track, Deferred, 2017-09-11) See: https://xmpp.org/extensions/xep-0344.html
-
Flow
MattJ: anyone with the ability for forge DNS for your domain can redirect clients to any place they choose
-
MattJ
and then you use TLS certificate verification to detect that
-
MattJ
and you don't go ahead with the connection
-
Flow
and that is not true for xep156?
-
MattJ
No
-
MattJ
The XEP recommends using HTTPS, but this is not enough
-
jonasw
Flow, well, it is true, but the attacker can choose the name the client validates against :)
-
MattJ
the BOSH URL can be https://mitm.badguy.net/http-bind
-
Flow
jonasw: with BOSH you validate the cert not against the XMPP domain you want to connect to?
-
MattJ
As long as the bad guy knows how to use Let's Encrypt to get a cert for his own domain, everything will work fine
-
Flow
ahh ok
-
MattJ
BOSH is just HTTPS, it was designed to be used where only a HTTPS API was available
-
Flow
yep, in that case xep156 should eventually require DNSSEC
-
Zash
Like how DNSSEC-signed SRV records are an acceptable proof of delegation
-
jonasw
as if you could enforce that in a JS client.
-
Link Mauve
Another issue is that browsers don’t expose DNSSEC validation to the application.
-
Link Mauve
Hmm, no, that’s unrelated, the HTTP-based way in 0156 is fine, since it is done against the user’s domain.
-
moparisthebest
Ge0rG, so https://op-co.de/blog/posts/java_sslsocket_mitm/ "undisclosed Android application (contacted on 2014-07-21)" is it time to name it yet? :)
-
Flow
I had discloused the application back then. I think there where no commits since then
-
Flow
Uh, I was wrong, last commit is less then 22 months ago
-
moparisthebest
so which app?
-
Ge0rG
moparisthebest: I'm pretty sure it was Xabber.
-
Flow
Ge0rG: sure? I remember it was a different app
-
Ge0rG
Flow: I'll have a look at my mail archive some time later today
-
moparisthebest
either way 3 years was probably enough time to name them :)
-
moparisthebest
they've either fixed it or never will at this point
-
Flow
moparisthebest: there aren't that many xmpp clients for android which existed in 2014 and are not listed on the page
-
Flow
for example xabber is listed
-
jonasw
to quote from council@: 15:31:23 Tobias> we have logs again, thanks to whoever did that I can only +1 that :)
-
jonasw
even with the logs from the past
-
intosi
:)
-
intosi
The gap's there because we didn't log anything at all in that period.
- Guus blames intosi
-
Guus
ah, unfortunate timing of that message :)
-
intosi
* the six month gap between mid March and September.
-
jonasw
ohh
-
jonasw
I didn’t see that :)
-
jonasw
still amazing :)
-
jonasw
but at least from mid sept, that’s already good
-
intosi
Anything before The Event might not be there, even though the page claims it's there. It's a bit hit and miss.
-
intosi
Yet, didn't want to prune it.
-
Link Mauve
Want me to fill the logs I obtained during that time?
-
Link Mauve
They are in the mcabber/poezio format, which should be easy to convert into whatever format you are using.
-
intosi
@Link Mauve not a terrible idea. No idea when I have time to look at that, but if you have them, might as well pop them over and we can see when to fill in the blanks.
-
moparisthebest
watch out, Link Mauve could have modified logs for his own nefarious purposes
-
Link Mauve
I’ll send March-September for this room, do you want any other room I’m in?
-
moparisthebest
:P
-
intosi
moparisthebest: a valid point
-
Link Mauve
Like council@.
-
Link Mauve
moparisthebest, indeed.
-
moparisthebest
what, I don't remember the board electing Link Mauve XMPP king for life back in march, oh well, it's in the logs
-
jonasw
I can send my logs, too
-
jonasw
same format :)
-
jonasw
we can diff the textual content and see if there’s anything wrong there
-
moparisthebest
only if we trust you two aren't colluding
-
jonasw
the order should be equivalent, just the timestamps can be fuzzy.
-
SamWhited
I smell collusion.
-
jonasw
nevar!
-
Guus
as if we should trust the both of you not conspiring...
-
jonasw
I still have a grudge against Link Mauve for not delivering the XEP update he promised, so there’s no way we are colluding!!k :-)
-
intosi
I can toss in whatever I have logged in my own archive, and make an outright mess of things ;)
-
moparisthebest
jonasw, that's exactly what someone colluding would say
-
Ge0rG
I can conspi.. eh.. contribute logs in the same format.
-
Link Mauve
:o
-
jonasw
Link Mauve, just kidding :)
-
Link Mauve
I will never collude again with you then!
-
jonasw
"again"?
-
moparisthebest
can we vote members out?
-
Link Mauve
jonasw, aren’t we colluding right now?
-
jonasw
I’m too confused at this point.
-
ralphm
I'll likely not make the board meeting today, sorry
-
Guus
With SCAM, I'd like to get the effort underway to organize FOSDEM'18 & the corresponding summit. I'd be grateful if people that were invovled in earlier events could help out (as I'm unsure where to start)
-
Guus
please find us in either the summit or scam MUC!
-
Guus
(but first: dinner! afk)
-
Ge0rG
summit dinner?
-
nyco
Board meeting time
-
Martin
Indeed
-
Martin
Who's around?
-
nyco
I'm here until :30
-
jonasw
I can take minutes
-
nyco
but "done is better than perfect" and "stop starting, start finishing"
-
nyco
oops
-
nyco
https://trello.com/b/Dn6IQOu0/board-meetings
-
Martin
Getting a bit ahead of ourselves unless a third board member pipes up
-
nyco
few items
-
Arc
present.
-
Martin
Ah, splendid, we are 3
-
nyco
meh
-
Martin
Let's get started
-
nyco
go?
-
Martin
1. Roll call
-
nyco
gavel, are you here?
-
Martin
Myself, nyco, and Arc in attendance
-
Martin
2. Minutes. jonasw?
-
nyco
\m/
-
jonasw
yes
-
MattJ
Here
-
Martin
Ooh, a 4th, excellent
-
nyco
good!
-
Martin
3. Topics for decisions. Only thing on Trello is the logo, which I think we okayed last week?
-
jonasw
yes you did
-
Martin
OK
-
Martin
4. Commitment list
-
Martin
4.1 Council & board elections
-
Martin
I saw an email went out about these, what else do we need to do?
-
dwd
Martin, Put your name down? :-)
-
nyco
nothing? agree? say goodbye or apply again?
-
Guus
Perhaps board could reach out to nonmembers
-
Martin
I guess I'm asking the more seasoned hands if the Board have anything specific we need to do at this point?
-
dwd
Martin, First, ensure that Alex has done the job, which he has.
-
Arc
i'll apply again
-
dwd
Martin, Second, note it for the record.
-
Martin
Right, good, noted that Alex sent out the details to the members list. As Guus has mentioned, casting a wide net can't hurt.
-
Martin
5. Items for discussion
-
jonasw
again?
-
Martin
5.1 "Discuss renaming 'Draft' to 'Stable'
-
Martin
jonasw: Again what?
-
jonasw
aahhh
-
jonasw
I’m too stupid to discern "Discussion" and "decision"
-
jonasw
nevermind me
-
jonasw
(I thought we had "Topics for *discussion*" already, but it was "decision")
-
Martin
Mailing list ref: https://mail.jabber.org/pipermail/standards/2017-September/033441.html
-
Martin
Any thoughts on this?
-
Arc
im not sure if we're the right body to decide this
-
Martin
I was wondering the same
-
dwd
Arc, You are, because changes to XEP-0001 (which this would be) are approved by Board.
-
nyco
"Recommandation", "Request For Comments": what does it mean?
-
nyco
what are the expected benefits of such a name change? for whom?
-
jonasw
nyco, I think this has been discussed in the standards@ thread
-
Martin
Yeah, there still seems to be a fair bit of discussion going on in the mailing list, might be worth seeing how that pans out
-
Arc
seems it, yes
-
jonasw
the discussion has been stalled for more than one week
-
Guus
That discussion wasn't followed up on any longer.
-
Martin
Blame my inability to navigate mailing lists
-
Arc
Guus: you're running for the board, right?
-
Guus
Did Council have a statement/
-
Guus
Am I?
-
Guus
I'm considering it, but I've got a bit much boards on my plate as it is :)
-
Arc
me too
-
Martin
OK, correct me if I'm mis-reading the ML thread, but there doesn't seem to be a consensus?
-
Martin
So there's a discussion, and it seems to have come to a halt, but not to a conclusion...
-
Guus
I think the consensus was to not rename 'experimental' (but strive for XEPs to not linger in that state), but to rename 'draft'
-
dwd
Guus, I proposed the specific case of Draft => Stable, and even I'm not convinced that has genera agreement from people.
-
Guus
I'm under the impression that this was also discussed and agreed on by Council, but I'm not sure?
-
Guus
Okay, I might have misread/misinterpreted. I've not been able to keep up the pace the last few days.
-
dwd
Council didn't approve it; it decided to let discussion continue and see what the Board said.
-
Guus
So, what needs to happen for Board to decide either way?
-
Guus
"further discussion" won't happen without incentive
-
Guus
dwd, I apologize for the confusion, I must have mixed up a few things.
-
Guus
I'll try to pay better attention next time :)
-
MattJ
I think the discussion has been too varied so far. Before I'd want to approve any change with a Board hat on, I'd rather see a very specific proposal backed by members
-
Martin
+1 to that MattJ
-
Arc
+1 to MattJ
- dwd was about to type roughly what MattJ said.
-
MattJ
I can post such a proposal to the list
-
nyco
+1 to dwd
-
Martin
Thanks MattJ
-
Guus
MattJ, please do
-
Martin
5.2 Outsource trademark license application decisions from board to separate WG
-
Martin
Did this come from you, Guus?
-
Guus
Nope. Ge0rG, I think
-
Martin
Mixing up my G's
-
Guus
We get that a lot.
-
Ge0rG
It was me.
-
Martin
Not much context around it on Trello. I created the card so I probably should've asked for more at the time.
-
Ge0rG
Not a very serious proposal, just because board had such a long no-meeting time.
-
Martin
Are/were there applications that got held up?
-
jonasw
mine did
-
jonasw
by a week or so
-
jonasw
nothing urgent though
-
Martin
Feels like a sledgehammer to crack a nut, if the cliche translates.
-
jonasw
I tend to agree
-
Martin
OK, I'll archive it
-
Martin
Ok, let's bring this to a close.
-
Martin
6. AOBs?
-
Guus
Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?
-
nyco
nope
-
Martin
My AOB is I won't be able to attend the next 3 board meetings due to holidays.
-
Martin
7. Time & date of next, +1W?
-
MattJ
wfm
-
Arc
good
-
Martin
Right, think we're done. Thanks everyone.
-
nyco
+1w
-
Guus
Martin, Arc?
-
nyco
gotta go, thx, bye!
-
ralphm
Sorry again, guys.
-
Martin
Guus: I work for Surevine, my interest is in using federation to make systems that fit an organisation, not the other way around.
-
Guus
thanks. Arc?
-
ralphm
Ge0rG: not cool at all.
-
Arc
Guus: ?
-
ralphm
Your oneliner for the record
-
jonasw
16:31:51 Guus> Martin, Arc, where do you work, and what's your primary interest in XMPP, in one or two lines?
-
jonasw
that’s the context I guess
-
Guus
yup
-
Guus
yeah, I've now ripped it from your last membership application.
-
Guus
bio PR in 3, 2, 1...
-
Guus
https://github.com/xsf/xmpp.org/pull/376
-
Guus
does martin have a github account?
-
Guus
ah, found it
-
Guus
Kev, you here by any chance?
-
Ge0rG
ralphm: pardon me please? What's not cool m
-
Ge0rG
s/m/?/
-
Arc
I won't be tricked into giving a bio :-P
-
Guus
Arc: please note that a bio has been provided none-the-less. :)
-
Arc
good, then its not autobio :-P
-
Guus
Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
-
Guus
what's the name for this part in the domain name of a component? thispart.example.org ?
-
ralphm
label, I think
-
ralphm
But that's DNS terminology, not specific to XMPP
-
ralphm
In XMPP, other than for DNS resolution, the domain is opaque
-
SamWhited
There are three labels in that domain name though. I suspect Guus wants to refer specifically to the subdomain
-
ralphm
There's no intrinsic relation between example.org and sub.example.org
-
SamWhited
It's still common to need to refer to the sub. part though
-
Zash
"fully qualified"?
-
ralphm
That is nothing more than convention
-
ralphm
The whole thing is fqdn, sure
-
ralphm
The leftmost part is then a hostname
-
Zash
Not sure if fqdn is a well-defined term tho
-
ralphm
Totally is
-
ralphm
https://en.m.wikipedia.org/wiki/Fully_qualified_domain_name
-
jonasw
the common term is third-level domain
-
jonasw
which also caters for "top-level" domains like .co.uk somewhat
-
jonasw
(cc @ Guus)
-
Guus
Thanks (putting kids to bed now, afk)
-
jonasw
have fun
-
Guus
Also, ralphm : Kev, Bear, Peter, Ralphm (Lloyd that I don't know). Please elevate me from member to owner on our github repo, add me to the team on dockerhub, and provide me with the twitter credentials. It'd be good to have someone else be available to help people out with requests in order to speed up things (and as I'm currently the requestee most of the time, who's also in iteam, I'd be a logical candidate).
-
Guus
Please elevate my permissions.
-
ralphm
I'm not near a device to easily do these things
-
Guus
in xmpp, component domains need not be subdomains of the xmpp domain?
-
Zash
Nope
-
Link Mauve
Nope.
-
Guus
wow. Pretty sure that that's not supported in any of our code
-
Link Mauve
Prosody special-cases those by advertising them in the disco#items of the “parent” domain, other servers may do similar things.
-
Zash
By convention
-
Link Mauve
Guus, by “your”, do you mean OF?
-
Guus
yeah, and Whack
-
Guus
the external component implementation that we have
-
Guus
Perhaps that's because I've always thought this way, but why would one not want an external component to be hierarchically under the xmpp domain? It's part of the same realm, no?
-
Link Mauve
Because there is no relation between them.
-
stefandxm
also think about PKI/certificates
-
stefandxm
in a decentralized sollution you need to have mulitple independant root certificates
-
stefandxm
(it is the sam argument as @Link Mauve says really, just a different angle)
-
Guus
does someone actually use addressing like that for external components?
-
Guus
working with my own stuff, i've obviously never seen it. Nor had or heard of the need.
-
Zash
Outside of the component protocol, it's just another JID
-
Link Mauve
Guus, at JabberFR we serve some 73 user domains, all of them share the same set of components to provide them nice additional features.
-
Guus
Cool
-
Guus
one of the many things to improve on, then
-
stefandxm
Guus, what do you mean? Multiple domains?
-
stefandxm
multiple domains without s2s?
-
stefandxm
or?
-
Guus
stefandxm: Link already answered, but I was wondering if there were external components "in the wild" that really have an address that's not a subdomain of the (single) xmpp domain that they're connected to.
-
Guus
that's how I've always used them
-
Guus
I've been looking at our code - don't even think it would be to hard to change for Openfire - but then again, I wonder if it's worth the trouble
-
stefandxm
we had it at my old job
-
stefandxm
we ran a hybrid cloud
-
stefandxm
our cloud was in cloud.companydomain.top
-
stefandxm
rather than company.cloud.top
-
stefandxm
it makes more sense securitywise when it comes to firewalls
-
stefandxm
its also very nice to use for onboarding
-
stefandxm
and not only firewalls but in general. because of certificates again
-
stefandxm
if you run xmpp.company.com
-
stefandxm
you can have a certificate that is linked to the company
-
stefandxm
how would you know to trust company.xmpphost.com ?
-
stefandxm
all you know is that you want to trust company.com
-
stefandxm
what is this xmpphost?
-
moparisthebest
company.xmpphost.com has a certificate valid for company.com, that's how
-
moparisthebest
or, DNSSEC
-
stefandxm
sure
-
stefandxm
my bad. its of course possible
-
stefandxm
albeit seen implementations not liking it
-
stefandxm
but that just buggy =)
-
stefandxm
but i still hold that xmpp.company.com makes more sense
-
moparisthebest
the name doesn't matter at all
-
moparisthebest
you validate the name in the cert
-
moparisthebest
it's actually more code to care whether it's a subdomain or not
-
stefandxm
its a dual side of the coin really
-
stefandxm
yeah
-
stefandxm
and in reality code is what makes everything works
-
stefandxm
lets say you have microsoft.knownfisher.com
-
stefandxm
will you like this certificate even if you would trust the PKI for the certificate alone?
-
stefandxm
its not trivial in reality. but i agree so i dont want to argue :)
-
stefandxm
However. I found out the buildscript issue
-
stefandxm
so know i updated http://opensource.clayster.com/lwtsd/Communications/lwtsd
-
stefandxm
with "new" error management
-
stefandxm
ill send it in as an xep if there is enough people who thinks it is worth the work
-
moparisthebest
so the call for experience on '368 ended yesterday, what's the procedure for a few clerical updates on a draft xep? do I just put in a PR or what?
-
moparisthebest
I suppose council votes or something?
-
jonasw
moparisthebest, ask me again tomorrow if nobody replies to you in the meantime
-
ralphm
There's always room for textual changes for clarification and typos and such. A PR seems like a good start. Naturally it is up to the Editors to discuss with Council if a change meets the requirements in section 9.4 of XEP-0001: https://xmpp.org/extensions/xep-0001.html#states-Final
-
ralphm
moparisthebest: ^
-
moparisthebest
it's just more clarification and 1 change from SHOULD to MAY
-
moparisthebest
but yeal I'll put in a PR and go from there, thanks ralphm