XSF Discussion - 2017-10-06

  1. moparisthebest

    Ha this is the same argument as the one against e2e earlier https://www.quakenet.org/articles/99-trust-is-not-transitive-or-why-irc-over-ssl-is-pointless

  2. zinid

    moparisthebest: seems like the dude only concerned about mitm?

  3. vanitasvitae

    Hi! Awesome to see that JET is now experimental :D I noticed some formatting issues in the pdf though. The table under §5 is crippled. Since this is likely to occure elsewhere as well, I thought I'd bring that to your attention :)

  4. Ge0rG

    vanitasvitae: the best approach is probably to open an issue on the xeps repo. Or even to provide a patch ;)

  5. vanitasvitae

    Guus told me, that SamWhited and jonasw are doing some work on this, so let me ping you :)

  6. vanitasvitae

    I'm not familiar with the pdf build process, so I think I'll just open an issue (if there is none yet)

  7. Guus

    I don't think they're still actively working on it - but things did change recently.

  8. vanitasvitae

    I opened https://github.com/xsf/xeps/issues/521

  9. jonasw

    nobody is familiar with the pdf build process :D

  10. jonasw

    yeah, I doubt we can do anything about that

  11. jonasw

    (looking at the issue)

  12. jonasw

    it’s simply too wide for the PDF output

  13. vanitasvitae

    yeah, I guess you're right

  14. jonasw

    ideally editors would proofread the PDF output and ensure that it is nice, but ...

  15. jonasw

    I’m actually more inclined to terminate PDF output altogether than doing that ;-)

  16. vanitasvitae

    In that case there is not much to do I guess :D

  17. vanitasvitae

    But pdfs are so nice... :D

  18. jonasw

    I prefer the HTML version, esp. since Sams recent CSS fixes

  19. jonasw

    one of the few things I prefer to have in my browser over a separate application

  20. Guus

    vanitasvitae: can you replace the namespace by a (shorter) reference to a namespace, somehow?

  21. jonasw

    that would probably do the trick, yes

  22. vanitasvitae

    maybe get rid of the "-"s as a first step?

  23. vanitasvitae

    and shorten "nopadding" to "nopad"?

  24. Guus

    hey, the logo on the PDF (first page), looks weird

  25. Guus

    it's the old / broken logo, but also has black colors for the outside bits, instead of the blue?

  26. vanitasvitae

    thats an issue with firefox I think

  27. jonasw


  28. jonasw


  29. Guus

    might be, but I'm using Chrome :)

  30. jonasw

    it’s also in the original PDF of the logo

  31. jonasw

    super weird

  32. vanitasvitae

    the logo is rendered differently in pdf viewers and browsers I think

  33. vanitasvitae

    at least I noticed that some time ago

  34. jonasw

    can’t easily fix that though, because the PDF includes the "XMPP" text for which I don’t have the font I think

  35. jonasw

    no, it is definitely also in the source files, vanitasvitae

  36. Guus

    what format is the source?

  37. jonasw

    this is extremely ugly https://sotecware.net/images/dont-puush-me/FHNZUlDByHqPUgjwj1Cq2EhPat6zvV5sfbTtJ__tlLI.png

  38. jonasw


  39. Guus


  40. jonasw

    I can try to mess with it to embed the new logo in that, should be doable

  41. vanitasvitae

    PDF missing the main purpose of its existence :D

  42. Guus

    I've got SVGs for the logo, but not the text

  43. jonasw

    how did you make xmpp.png then?

  44. jonasw

    by hand?

  45. Guus

    yeah, I erased the logo, copied in a newly generated one from SVG using the correct size

  46. jonasw


  47. Guus

    interestingly, the page headers also have a (very small) logo, where the colors are correct.

  48. jonasw


  49. jonasw

    those are two different files

  50. jonasw

    patching them now

  51. Guus

    thanks :)

  52. Guus

    I'm somewhat surprised that the source components are PDFs themselves. Then again, I know nothing.

  53. jonasw

    that’s usual for LaTeX

  54. jonasw

    you can only have PDF as vector format without extra packages when building with {pdf,xe,lua}latex

  55. jonasw

    now that’s interesting

  56. jonasw


  57. jonasw

    the pdf including the text contains quite a bit more

  58. jonasw

    notably, the blue tones are not included in the design specs on the top left

  59. Guus

    Ah, that's by the original designer

  60. Guus


  61. Guus

    he's who I talked to earlier.

  62. Guus

    also, it lists a typeface? :)

  63. Guus

    Eurostile Bold Extended

  64. Guus


  65. Guus

    seems to be it :)

  66. jonasw

    that PDF is super weird

  67. jonasw

    but I guess that’s what you get from opening PDFn with inkscape

  68. Guus

    those appear to be printing masters

  69. Guus

    it's probably what the original authors of the PDF generation had available at the time

  70. jonasw

    making a test build with patched PDFs

  71. jonasw

    (now I in fact wonder if all built PDFs contain the whole printing master...)

  72. jonasw

    (or if something is smart enough to crop that out)

  73. jonasw

    (which I doubt, because it’s pdflatex we’re speaking about)

  74. jonasw

    well, xelatex

  75. Guus

    how big is it? If it's just a fraction of the total size, I wouldn't bother improving it further

  76. jonasw

    a few kiB

  77. jonasw

    I was just wondering conceptually

  78. jonasw

    because that’s essentially the XMPP Corporate Design ;-)

  79. jonasw

    thereifixedit: https://sotecware.net/files/noindex/xep-0391.pdf cc @ Guus

  80. Guus

    fun fact: the font used for the 'XMPP' text in our logo is also used in 2001: A Space Odyssey, for the interface of HAL. :)

  81. Guus

    ah, much better, thanks!

  82. jonasw

    let’s push that

  83. jonasw

    now I get the feeling that I did already quite a lot today! :-)

  84. Guus

    and it's only 10 am :)

  85. jonasw


  86. Guus

    wanna pop over to jdev and see if you have feedback on my question there? :)

  87. Guus

    oh, you already were there :)

  88. jonasw

    there you go ;-)

  89. Guus

    tx :)

  90. Ge0rG

    It's 10 AM and I feel like weekend already

  91. jonasw

    Ge0rG, good news: weekend for me already. wait. that’s only good news for me. sorry.

  92. Guus

    you just told us you were available.

  93. Guus

    that might've been a mistake :P

  94. jonasw

    Guus, do you have power over the dockerhup by now? If so, does that include the xeps builds? That’d be good to know.

  95. Kev

    He does, yes.

  96. jonasw

    great. Just in case there are issues again, but I suspect now that we don’t source stuff from sourceforge anymore, it should be fine

  97. Guus

    (what Kev said)

  98. Flow

    dwd: What was the motivation for renaming the 'mechanism' to 'task' in SASL2?

  99. Kev

    IIRC because it can do things other than present SASL mechs. I could be wrong.

  100. Flow

    k, thanks

  101. dwd

    It also can't do the things mechanisms do. Like change the authorization identifier. Plus they need one to start.

  102. Flow

    can <task> could also contain a SASL mech?

  103. dwd


  104. Flow

    Wasn' t one idea that multiple mechs could be chained with SASL2?

  105. Guus

    did you use two different clients just now, dwd?

  106. Guus

    your nickname had different colors in Spark

  107. dwd

    Guus, Conversations for both those (Gajim for this one). Probably Conversations was detached; it looks like it injected a delay stamp.

  108. dwd

    Flow, So yes, the idea originally was that all these things are SASL mechs. But in practise, when developing, they're not. The first thing is a SASL mech, any subsequent ones are similar to mechanisms but distinct in that they're provided with an authzid, and cannot change it.

  109. Flow

    authzid was the thing which would allow you to impersonate another entity, right?

  110. Kev

    Not impersonate, but yes.

  111. dwd

    Flow, No, the authzid is the (most important) output of the SASL process. In XMPP, it's your jid.

  112. Flow

    ahh, ok, then it's the authcid I was thinking about

  113. Kev

    It's the thing that tells you what you are.

  114. dwd

    Flow, Probably not.

  115. Flow

    then what's the authcid again?

  116. Guus

    you authentiCate with authcid, you are then authoriZed for using authzid

  117. Flow

    An authorization identity is an OPTIONAL identity included by the initiating entity to specify an identity to act as

  118. dwd

    Flow, The authentication identifier is the identifier used to identify you to the SASL mechanism. Typically you don't specify an authzid, and again typically in XMPP the authcid is just the local-part of the jid and the authzid is then figured out from that.

  119. Flow

    That does sound like authzid is what I said it is

  120. dwd

    Flow, It is optional to supply, because it can be derived (normally).

  121. dwd

    Flow, You do, always, end up with an authzid. Worth looking at TLS+EXTERNAL as an example - your authcid there is the certificate (or arguably the Subject of it). The authzid might be derived from it (usually from a SAN) or you might supply it.

  122. dwd

    Flow, There's no "impersonation" going on, though that, too, in as option (known as "Proxy Authentication", because you're authenticating to be a proxy for another user)

  123. Flow

    So what exactly is the problem that following SASL mechs can't change the authzid? Usually you either never provide the authzid or you provide it, in which case all chained mechs should/must provide the same

  124. dwd

    Flow, There's absolutely no power on earth that'll make me try to implement that. It's a nightmare.

  125. Flow

    And what is the point in being able to optionally supply the authzid? Re-using the same credentials for different accounts?

  126. Flow

    Anyway, I don't see a problem that subsequent mechs can not change the authzid

  127. Guus

    I'm no expert, but, I thought it was primarily used when the username you authenticate with isn't an exact match with the account name that you're authenticate for.

  128. dwd

    Flow, Sometimes to avoid confusion (like with TLS+EXTERNAL), sometimes for Proxy Auth. Also, if you've a username from, say, Active Directory that's not valid for XMPP, this be a way around that problem too.

  129. Flow

    I think we mixing two aspects of authzid: The one is where a sasl mech can optionally provide it, the other one is that you only know your full JID after being authenticated

  130. dwd

    Flow, Input and output, is all.

  131. Flow

    For chaining mechs, only the former can be possibly relevant, and I don't see why we can't simply say that all chained mechs must provide the same authzid, if they provide any at all

  132. dwd

    Flow, Why do you want to?

  133. Flow

    Guus: Yep, besides that your username can be completly different from the localpart of the JID you get

  134. Flow

    dwd: Why do I want to chain SASL mechs? Well the idea sounded appealing to me back then. And I don't see why we gave up on it

  135. dwd

    Flow, Because I tried implementing it and it was horrible.

  136. dwd

    Flow, Whereas I *have* implemented the current spec, along with TOTP etc, and it all works well.

  137. Flow

    dwd: Maybe, but what is different by having tasks now? SASL mechs are basically just a sequences of challenges and responses, surely tasks are very similar to that?

  138. dwd

    Flow, Yes, the protocol interface is the same, but the internal server-side interface is pretty different.

  139. Flow

    dwd: shouldn't ex4 in xep388 show a bare jid, or, when do I get a full JID at this stage?

  140. Flow

    ahh, we do bind2 there also

  141. Flow

    uh and bind2 still has no support for a client provided part ☹

  142. Kev

    Is anyone ready to implement bind2? If so I'll try to find time to add that.

  143. Flow

    and sasl2 can be used without bind2? A lot of possibilities ☺

  144. Flow

    (but it's getting complicated)

  145. Kev

    dwd: Did you do bind2 with sasl2, or not?

  146. dwd

    Kev, I've been toying with a bind2 embedded in sasl2 in my implementation just to see, but I've not tried it yet.

  147. Flow

    Kev: ex2 in xep388 hints at bind2

  148. dwd

    Flow, Also ISR. But I've not quite finished 198 resumption yet, so...

  149. dwd

    Flow, I think I said (read: I meant it to say) it was a hypoethetical extension, in ex2.

  150. moparisthebest

    ha AOL is finally killing AIM

  151. moparisthebest

    I... didn't know it was still alive

  152. Alex

    ya, just read the news here: https://aimemories.tumblr.com/

  153. SamWhited

    That's AIM, MSN Messenger, and Yahoo Messenger all gone… the 90's are finally over :'(

  154. moparisthebest

    well we still have XML >:)

  155. SamWhited

    Only the worst part of the 90's are still around…

  156. SamWhited goes to rewatch `The Fresh Prince of Bel-Air' to make himself feel better

  157. dwd

    moparisthebest, Where? We're now using a "React-like wire protocol", remember?

  158. moparisthebest

    dwd, I haven't heard of that but it sounds terrifying

  159. dwd

    No, no. It's great. It'll get us all the cool kids now. Better than json.

  160. Guus

    I heard you use this argument a few days ago

  161. Guus

    so presumably, there now is a newer fashion.

  162. moparisthebest


  163. moparisthebest

    longtime guy in IRC channel mentions jabber, I say that's awesome when did you start using it

  164. moparisthebest

    he says just now to try to talk to some drug dealers from darkweb sites

  165. moparisthebest

    so, that's nice haha

  166. zinid

    definitely success

  167. dwd

    moparisthebest, Well, at least we have a dedicated niche market.

  168. moparisthebest

    yea use is exploding in a certain market segment I guess

  169. moparisthebest

    anyone want to sign up and ask about usability issues, UI problems etc

  170. Guus

    yeah, lets fix those nasty spam control issues that they're experiencing for them

  171. moparisthebest

    I can probably get the .onion site domain haha

  172. moparisthebest

    see here is a segment that probably values forward secrecy over long term archives right?

  173. dwd

    moparisthebest, Depends if they have a sideline in blackmail, I guess.

  174. moparisthebest

    guess the 'seller' is using jodo.im I'm guessing it has IBR enabled judging by the flash 9.0 required on the http page