GuusFor those that want to attend the Summit, and have not yet send me their email address: _please do so now_. It's needed to generate a wifi code, as well as building access.
Syndacehas left
Syndacehas joined
efrithas left
Dave Cridlandhas left
Ge0rGhttps://news.ycombinator.com/item?id=16257073 - zero xmpp.
mathieuiGe0rG, first post is pidgin/adium + OTR, which includes xmpp
Ge0rGRight, which is a set of broken and outdated things.
SouLGe0rG, you can reply recommending XMPP then :D
Ge0rGSouL: oh, yes. Which one of the horrible desktop clients shall I recommend?
jonaswGe0rG, tell them that e2e is useless anyways
jonaswI thought that’s your speciality? :)
ZashDoesn't any mention of XMPP just attract hordes of pro-Matrix trolls?
mathieuithat it does
Ge0rGjonasw: I only hate E2EE over XMPP, because it doesn't match the comms model of XMPP in any reasonable way
lskdjfhas left
SaltyBonesGe0rG, why not? Because it is not multi-device?
Ge0rGSaltyBones: because it's absolutely decoupled from the XMPP identity model.
SaltyBonesGe0rG, but that is rather common isn't it?
SaltyBonesOr do you mean something like in GPG where a key specifies the e-mail address it is for?
Ge0rGSaltyBones: not in protocols where e2ee is a first class citizen
Ge0rGSaltyBones: no, I mean things like tox where your public key is your ID
SamWhitedI haven't used Tox, but that sounds like GPG levels of unusability…
Ge0rGSamWhited: take Briar, then.
jonaswinvokes Zookos Triangle
SamWhitedAs long as I don't have to remember a key then I'll take just about anything
ZashAll hail the great Zooko
jjrhhas left
jjrhhas left
zinidhas left
Ge0rGjonasw: thanks very much. XMPP is the crypto protocol that only checks off one of the three points.
moparisthebestGe0rG, a key being inseperable from an identity isn't great either, I lose my phone, and suddenly have to let all contacts know? ew
Ge0rGmoparisthebest: only if you define key as being the same as phone.
moparisthebesthow else could you define it
Guushas left
ZashRun your own CA
Ge0rGmoparisthebest: in a dozen of other ways :P
jjrhhas left
moparisthebesthow about you have a well defined account name, maybe in the format of local@domain, and then verify keys out of band? :D
Ge0rGmoparisthebest: that's great, except it doesn't give any strong binding between your identity and your keys.
moparisthebestit does if you verify it out of band
Ge0rGmoparisthebest: in which case you can as well have cryptographic identities
ZashWho verifies it?
moparisthebestuser, if they want
moparisthebestmy only point is both have upsides and downsides, the upside of xmpp being everything else just works and you don't have to reinvent the wheel
Ge0rGexcept that not everything works in XMPP
moparisthebestbetter than reinventing the wheel
Dave Cridlandhas left
Kevhas left
ZashAnd E2EE is actively making things worse for me now. Messages only showing up on my phone :(
Ge0rGZash: what? If only somebody could have warned you!
moparisthebestanother reason identity-tied-to-key is worse, now you lose multi device support
MattJ+1
moparisthebestthat's just something that can be approved, rather than each user manually trusting all device keys of a contact, once they trust one, they could trust all others based on a signature from the one they trusted
moparisthebests/approved/improved/
Ge0rGmoparisthebest: exactly my point
moparisthebestwhat is
Ge0rGstrapping a per-device crypto identity on top of a federated per-account identity is just not going to work. full stop.
moparisthebestno, it'll work just fine
moparisthebestsure it's not ideal today, but all the building blocks are there to make it ideal
Ge0rGmoparisthebest: the building blocks are there to make it barely usable.
moparisthebestmy point is strapping per-device crypto identity mixed with identity-per-contact is unusable with multi device
Ge0rGYes.
moparisthebestso the xmpp approach is clearly better
Ge0rGlooks like we are saying the same.
Ge0rGWait.
ZashGe0rG: It might work but it'll be a hack.
Ge0rGmoparisthebest: what you just described as unusable _is_ the XMPP approach.
ZashModel conflicts all over
moparisthebestno
moparisthebestwhat you said is ideal, the key *is* your identity
moparisthebestis not compatible with multiple devices
Ge0rGmoparisthebest: you can export the key.
moparisthebestdo any current systems work that way?
Ge0rGI surely hope so.
moparisthebestI seriously doubt it, if you are routing based on key not quite sure how you route to 2 different places
moparisthebestsounds hard
Ge0rGmoparisthebest: either all of your devices use the same identity key, or you have device keys that are all maintained under your identity key.
moparisthebestby the way, it doesn't actually solve any problem, before you had a *name* and have to out-of-band ensure it matches a *key*
moparisthebestand now you have a *key* and can't match it to a *name*
moparisthebesthow is it different?
ZashThe direction of authority in XMPP is from DNS to servers to accounts to clients. E2E wants it in the other direction, sorta
moparisthebestit's not that straightforward anymore when you add DNSSEC and CAs either
moparisthebestthe root problem is how do you match a key to a person
moparisthebestand, iirc, that's not solved in any system
ZashThat's a hard problem
MattJIt's just impractical to solve in the real world
MattJIt's a nice technical challenge for ideological geeks
ZashWhen everyone learns to do cryptographic signature algorithms in their heads then maybe
MattJand then SHA256 gets broken
moparisthebestthe best we can do is 'good enough' for most people and 'rock solid' for the people who really care, which I think is basically what we have
ZashThen having users as the root of trust might work
SaltyBonesI like ideas like certificate transparency and CONIKS
SaltyBonescombining that with some good old WoT and a nice scan-barcode-to-verify should actually be pretty good
moparisthebesttoday you can meet people in person, or call them, or whatever, and verify identity, that's the rock solid for people who care
moparisthebeston the 'good enough' front, if bob from the xsf messages me, whatever, talking with him for a bit is 'good enough'
moparisthebestI mean here I am talking with Ge0rG in an anonymous muc, he might not even be the same Ge0rG from yesterday, clearly we couldn't care less about identities in XMPP :P
ZashPeople can grasp hierarchical systems, we have them everywhere, in companies and organizations. P2P and WoT is like anarchy :)
SaltyBonesZash, actually I think WoT is very natural for people but the WoT for e-mail is not explicit enough for people to get it and it is too complicated to maintain it
SaltyBonesThe bigger issue is that WoT has huge privacy issues
Ge0rG> the root problem is how do you match a key to a person
http://web.archive.org/web/20110501005631/http://thealiceandbobsuicide.org/
SaltyBonesI think a combination of a public ledger for assigning jid<->key combined with automatic WoT verification with known users would be cool
SaltyBonesGe0rG, indeed but if you meet the person that is rather easy to do
SaltyBonesthe question is how do you distribute that information so that it is readily accessible
Ge0rGSaltyBones: the WoT for mail is absolutely broken.
moparisthebestthe people on my contact list fall into 2 categories, 1. People I know in-person and have verified keys in-person 2. People I don't know in person so who cares
ZashDid you just suggest a blockchain?
Ge0rGSaltyBones: just one keyword as explanation: transitive trust.
SaltyBonesZash, I almost certainly did not, sir!
moparisthebestyou said public ledger
andrey.ghas joined
SaltyBonesBut yeah, the implication is there, but something like certificate transparency does would work as well
moparisthebestif you trust the certificate transparency servers I guess
SaltyBonesyou guess correctly
Ge0rGthe blockchain is a complex solution to a single problem of a distributed currency: double-spending.
Ge0rGI wonder how double-spending is a problem with public identities.
moparisthebesteasy, because key X signs a message saying they own me@mydomain.com
moparisthebestnow if key Y comes along and signs they own me@mydomain.com you know it's not valid
Ge0rGmoparisthebest: how do you know that key X is legitimate?
moparisthebestthey signed it first!
Ge0rGmoparisthebest: okay, so if we have a public ledger, the first to sign a JID wins.
moparisthebestyep
moparisthebestfirst come first served
Ge0rGhow does that prevent me from signing *@xmpp.org
moparisthebestit doesn't
moparisthebestwell * isn't valid so you'd have to sign a lot
moparisthebestbut yea
Ge0rGSo it's worthless as an identity tracking device. Good.
moparisthebestno it'd track identity perfectly
Ge0rGClaimed identity.
jonaswI’d argue that you shouldn’t be able to claim something@domain, but only domain
moparisthebestI just said earlier I think no one has solved this and it's basically impossible to solve :P
jonasw(and then delegate claims for something@domain)
ZashBut xmpp.org is the authority over *@xmpo.org
Ge0rGmoparisthebest: so you are trying to solve a problem you think is impossible to solve?
moparisthebestand PIR is the authority over .org and ICANN over that and US govt over that Zash , what's your point
moparisthebestGe0rG, nope it's solved good enough
Ge0rGExcept it's not.
Zashmoparisthebest: adding another name authority will create a mess
Ge0rGjonasw: what you describe is the trust model of XMPP, without any need for E2EE
jonaswGe0rG, I admit I didn’t take a close look :)
Ge0rGjonasw: servers are responsible for user identities on their service. XMPP.
Ge0rGNow one _could_ add OMEMO keys in PEP on individual JIDs and encrypt-by-default, and have E2EE with server-trusted manually-verifiable identity.
bearhas left
moparisthebestisn't that exactly how it works?
SaltyBonesI think he is missing the server-trusted...?
moparisthebestI'm not really sure what that means then, the server doesn't need to trust anything
SaltyBonesI read it as "the server should provide trust in the identities it provides"
SaltyBonesLike signing the users keys or similar
ZashHaving the server sign user identities somehow ?
SaltyBonesWell, you could also use IBE if you want to go really crazy. :)
moparisthebestthe server does basically
moparisthebestI mean the server should only allow those to be set from the account setting them
moparisthebestalice@server can't set bob@server's pep nodes can she?
bearhas joined
ralphmhas left
Ge0rGI meant that the server is trusted by default
moparisthebestGe0rG, uh again that's how it works now
Ge0rGmoparisthebest: in the single-device case.
SaltyBonesI don't see what this has to do with e2e
Ge0rG> Status - A Mobile OS, Built for Ethereum.
No further questions. I rest my case.
ZashObjection, relevance?
Ge0rGBullshit Bingo Strike.
Dave Cridlandhas left
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
moparisthebestthat's really all XSF is missing
moparisthebesta marketing team full of master bullshitters
jubalhhas joined
SaltyBoneshas joined
Alexhas left
nycohas left
vanitasvitaeI read the URL like "status invests 5 minutes in riot im" :D
Steve Killehas left
moparisthebesthey, that's the same amount I invested in riot im
SaltyBonespfff
SaltyBonesFurthermore, the collaboration between Status and Matrix is expected to:
Utilize the Status Network token within Riot.im by enabling crypto assets
SaltyBonesthey are bying influence and users
vanitasvitaeI actually tested it for a few weeks. The thing that dragged me back to xmpp/conversations was that the app could not receive messages when closed.
vanitasvitaeSaltyBones, sounds a little bit like the Telegram blockchain thingy
SaltyBonesvanitasvitae, did you test riot/matrix or whisper?
moparisthebestI found it more confusing than any other IM app I've ever used
moparisthebestand then I tried installing it on my wife's phone and messaging my username
vanitasvitaeSaltyBones, I tested the app from fdroid
moparisthebestbut then my IRC account on freenode got the message instead
SaltyBonesI mean, the fact that the app cannot receive messages while closed it unlikely to be a protocol restriction✎
moparisthebestwtf
SaltyBonesI mean, the fact that the app cannot receive messages while closed is unlikely to be a protocol restriction ✏
vanitasvitaeyeah, my phone doesnt have gcm
Dave Cridlandhas left
vanitasvitaebut I gave it the same permissions I also gave conversations
jonaswmoparisthebest, wtf
Alexhas joined
moparisthebestjonasw, well turns out they have an always on freenode gateway, so if you search 'moparisthebest' in riot.im that came up before my new username :P
moparisthebeststill was confusing before I figured it out
moparisthebestbasically would not mark it 'easy to use'
jonaswso you can search arbitrary users on freenode in riot.im?
moparisthebestI've never accidentally messaged someone on freenode from conversations
moparisthebestyep
jonaswaha.
moparisthebestbut nothing clearly said 'this is an IRC user on freenode'
edhelaswho want to write some BS articles on the XMPP blog ? then we can get some funding to buy pizzas and stickers for the next Summit ?
moparisthebestthat's the problem, we need a master BS artist, and we are (all?) programmers
edhelaslike "5 steps to transfer your BTC with XMPP", "VR over XMPP, we tested it and it's trully amazing", "You'll never guess what they've done with XMPP"
zinidhas left
edhelas(for the last one just write how you can change the lights colors by sending <messages> :D)
jonaswor maybe my actual thing which transports sensor data over XMPP
jonaswand public transport departure times
jonaswand shows it on an LCD
ralphmhas left
blablahas joined
Alexhas left
Dave Cridland5 facts about XMPP: You'll never believe number four!
moparisthebestis it that it uses XML
Dave CridlandXMPP uses XML and people just can't handle it!
jonaswThere is a binary serialization of XML which is very compact!
moparisthebestso compact that no one even uses it!
GuusDave, if you keep this up, I'm taking away your Facebook access again.
moparisthebestso there are some interesting articles about XMPP and such, it just doesn't always call-out THIS IS XMPP https://motherboard.vice.com/en_us/article/595zg5/sopranica-jmp-wom-cell-network-diy-anonymous
moparisthebestit might be neat to have an xmpp dedicated blog to talk about cool stuff being done with xmpp today, but I couldn't write articles, I'm bad with words :)
moparisthebesthere's another one https://motherboard.vice.com/en_us/article/8xm5v3/this-software-developer-is-making-a-surveillance-free-cell-phone-network (same topic)
jonaswdo we have a planet XMPP?
jonaswlike planet python
moparisthebestmaybe the xsf should just hire ossguy / Denver Gingerich to do it's marketing :)
Dave Cridlandhas left
Dave Cridlandhas left
SamWhitedWe do have a planet XMPP… but I don't think anyone has used planets in years, so I'm not sure how much good it does. I don't even remember where it lives
SamWhitedjonasw: https://planet.jabber.org/
SamWhitedossguys marketing works because he's marketing a service; the XSF doesn't have a service to market.
moparisthebestthat's basically half the problem, some of us want to market cisco's trademarked term, others don't :P
jubalhhas left
jubalhhas joined
nycohas left
SamWhitedI don't think that's a problem or matters at all; the problem is that we want to market an abstract network and ecosystem of different products. Regardless of what we call it, people aren't going to be able to grasp that and it's just going to sound too confusing.
moparisthebestthat makes sense, what about just marketing FOSS stuff that uses XMPP though
moparisthebestjmp.chat being one example of many
SamWhitedYah, that seems good to me. People can grasp what jmp.chat or Conversations.im is; they don't need to know the protocol, just that there's a cool new chat service
SamWhitedAnd maybe somewhere it has an "XMPP Certified" or "Jabber Compatible" badge or something along those lines; most people won't care, those that do can find it.
pep.has left
Dave Cridlandhas left
blablahas left
jubalhhas joined
ralphmhas joined
blablahas joined
Alexhas joined
lovetoxhas left
lovetoxhas joined
Dave Cridlandhas left
sezuanhas joined
ralphmhas joined
SamWhitedhas joined
lskdjfhas joined
SamWhitedGuus, Kev: I just noticed some XEPs that shouldn't be in the list and the website build appears to have failed 4 days ago and not run since then, FYI
KevTa. something for after the summit, I think.
Ge0rGSamWhited: "Jabber Compatible" is what we need a new Jabber Software Alliance for!
ZashNo, first we need a funny backronym and a shiny website and a billion dolares in marketing budget
GuusSam, I'm not understanding the details of what you're writing. I'm missing a comma, somewhere, I thnk :)
Ge0rGZash: we are full of "funny" backronyms, like SCAM. And nobody is going to give us billions, nor even millions of dollars.
Ge0rGMaybe we can make a JabberCoin ICO.
SamWhitedGuus: sorry, that was confusing. The website hasn't been rebuilt for 4 days so the /extensions list is not up to date.
GuusSamWhited: it's building now. For future reference: it should pick up any change in github (so you can trigger it by committing something). It should also be triggered by a successful build of the XEPs repo.
SamWhitedoh, I should have thought of that, thanks
Guus(or rather, github pushes to XEPs will cause the XEPs dockerhub to kick off, which in turn will kick off the website one)
SamWhitedI just made a change, so I guess that would have rebuilt it soon anyways
Guusah, probably. I've now only delayed your change by triggering a manual build.
jjrhA weekly "whats going on in XMPP" would be cool sorta like http://sachachua.com/blog/2018/01/2018-01-23-emacs-news/
jjrhBut I feel like that would have already happened if someone had the time.
jjrhI have planet jabber in my rss reader though and it picks up a lot of stuff. It misses is what's happening in XSF-Standards that I gotta actually read my email ;)
ralphmhas joined
edhelasjjrh you should have Planet Jabber in your Pubsub feed reader :p
edhelasyou know "eat your own food" :p
jjrhedhelas, any client recommendations?
edhelasMovim :)
jjrhI'll have to try it out.
edhelasjust wait ~10min, i've added the feed, it will appears soon
edhelasbut there's already a bunch of them :
edhelashttps://nl.movim.eu/?node/news.movim.eu/ArsTechnica for example
jjrhso they are called 'communities' ?
edhelasyup :)
edhelasbecause "Pubsub Node" is too mainstream
jjrhGajim apparently has pubsub support but I never really figured out how to make it work.
ralphmhas joined
jjrhThought it would be good for stuff like notifications/alerts and the like for the office. Better than spamming the group chat with a bot :P Folks can easily opt in or out
SaltyBoneshas left
jjrhhttps://de.movim.eu/?community/news.movim.eu/PlanetJabber there it is :D
Alexhas left
Guushas left
ralphmhas joined
edhelas:)
Tobiashas joined
tuxhas joined
jubalhhas joined
ralphmhas joined
remkohas left
moparisthebesthas left
tuxhas joined
goffihas left
lumihas left
lumihas joined
zinidhas left
Alexhas joined
Neustradamushas left
Neustradamushas joined
jubalhhas left
Guushas left
SaltyBoneshas joined
NeustradamusAny news about clients and servers removed on XMPP.org lists?
Neustradamus"After a verification on xmpp.org, I found that the list has been changed, in the past when I managed the list, it will be more important.
Psi and Psi+ have not in list, why?
https://xmpp.org/software/clients.html
http://psi-im.org/ + http://psi-plus.com/
Really strange for historical XMPP clients
Metronome is not listed too on https://xmpp.org/software/servers.html
https://metronome.im/
It was before ;)"
moparisthebestNeustradamus: they need renewed annually or get removed automatically
Neustradamusmoparisthebest thanks for your reply! it is strange