For those that want to attend the Summit, and have not yet send me their email address: _please do so now_. It's needed to generate a wifi code, as well as building access.
Syndacehas left
Syndacehas joined
efrithas left
Dave Cridlandhas left
Ge0rG
https://news.ycombinator.com/item?id=16257073 - zero xmpp.
mathieui
Ge0rG, first post is pidgin/adium + OTR, which includes xmpp
Ge0rG
Right, which is a set of broken and outdated things.
SouL
Ge0rG, you can reply recommending XMPP then :D
Ge0rG
SouL: oh, yes. Which one of the horrible desktop clients shall I recommend?
jonasw
Ge0rG, tell them that e2e is useless anyways
jonasw
I thought that’s your speciality? :)
Zash
Doesn't any mention of XMPP just attract hordes of pro-Matrix trolls?
mathieui
that it does
Ge0rG
jonasw: I only hate E2EE over XMPP, because it doesn't match the comms model of XMPP in any reasonable way
lskdjfhas left
SaltyBones
Ge0rG, why not? Because it is not multi-device?
Ge0rG
SaltyBones: because it's absolutely decoupled from the XMPP identity model.
SaltyBones
Ge0rG, but that is rather common isn't it?
SaltyBones
Or do you mean something like in GPG where a key specifies the e-mail address it is for?
Ge0rG
SaltyBones: not in protocols where e2ee is a first class citizen
Ge0rG
SaltyBones: no, I mean things like tox where your public key is your ID
SamWhited
I haven't used Tox, but that sounds like GPG levels of unusability…
Ge0rG
SamWhited: take Briar, then.
jonaswinvokes Zookos Triangle
SamWhited
As long as I don't have to remember a key then I'll take just about anything
Zash
All hail the great Zooko
jjrhhas left
jjrhhas left
zinidhas left
Ge0rG
jonasw: thanks very much. XMPP is the crypto protocol that only checks off one of the three points.
moparisthebest
Ge0rG, a key being inseperable from an identity isn't great either, I lose my phone, and suddenly have to let all contacts know? ew
Ge0rG
moparisthebest: only if you define key as being the same as phone.
moparisthebest
how else could you define it
Guushas left
Zash
Run your own CA
Ge0rG
moparisthebest: in a dozen of other ways :P
jjrhhas left
moparisthebest
how about you have a well defined account name, maybe in the format of local@domain, and then verify keys out of band? :D
Ge0rG
moparisthebest: that's great, except it doesn't give any strong binding between your identity and your keys.
moparisthebest
it does if you verify it out of band
Ge0rG
moparisthebest: in which case you can as well have cryptographic identities
Zash
Who verifies it?
moparisthebest
user, if they want
moparisthebest
my only point is both have upsides and downsides, the upside of xmpp being everything else just works and you don't have to reinvent the wheel
Ge0rG
except that not everything works in XMPP
moparisthebest
better than reinventing the wheel
Dave Cridlandhas left
Kevhas left
Zash
And E2EE is actively making things worse for me now. Messages only showing up on my phone :(
Ge0rG
Zash: what? If only somebody could have warned you!
moparisthebest
another reason identity-tied-to-key is worse, now you lose multi device support
MattJ
+1
moparisthebest
that's just something that can be approved, rather than each user manually trusting all device keys of a contact, once they trust one, they could trust all others based on a signature from the one they trusted
moparisthebest
s/approved/improved/
Ge0rG
moparisthebest: exactly my point
moparisthebest
what is
Ge0rG
strapping a per-device crypto identity on top of a federated per-account identity is just not going to work. full stop.
moparisthebest
no, it'll work just fine
moparisthebest
sure it's not ideal today, but all the building blocks are there to make it ideal
Ge0rG
moparisthebest: the building blocks are there to make it barely usable.
moparisthebest
my point is strapping per-device crypto identity mixed with identity-per-contact is unusable with multi device
Ge0rG
Yes.
moparisthebest
so the xmpp approach is clearly better
Ge0rG
looks like we are saying the same.
Ge0rG
Wait.
Zash
Ge0rG: It might work but it'll be a hack.
Ge0rG
moparisthebest: what you just described as unusable _is_ the XMPP approach.
Zash
Model conflicts all over
moparisthebest
no
moparisthebest
what you said is ideal, the key *is* your identity
moparisthebest
is not compatible with multiple devices
Ge0rG
moparisthebest: you can export the key.
moparisthebest
do any current systems work that way?
Ge0rG
I surely hope so.
moparisthebest
I seriously doubt it, if you are routing based on key not quite sure how you route to 2 different places
moparisthebest
sounds hard
Ge0rG
moparisthebest: either all of your devices use the same identity key, or you have device keys that are all maintained under your identity key.
moparisthebest
by the way, it doesn't actually solve any problem, before you had a *name* and have to out-of-band ensure it matches a *key*
moparisthebest
and now you have a *key* and can't match it to a *name*
moparisthebest
how is it different?
Zash
The direction of authority in XMPP is from DNS to servers to accounts to clients. E2E wants it in the other direction, sorta
moparisthebest
it's not that straightforward anymore when you add DNSSEC and CAs either
moparisthebest
the root problem is how do you match a key to a person
moparisthebest
and, iirc, that's not solved in any system
Zash
That's a hard problem
MattJ
It's just impractical to solve in the real world
MattJ
It's a nice technical challenge for ideological geeks
Zash
When everyone learns to do cryptographic signature algorithms in their heads then maybe
MattJ
and then SHA256 gets broken
moparisthebest
the best we can do is 'good enough' for most people and 'rock solid' for the people who really care, which I think is basically what we have
Zash
Then having users as the root of trust might work
SaltyBones
I like ideas like certificate transparency and CONIKS
SaltyBones
combining that with some good old WoT and a nice scan-barcode-to-verify should actually be pretty good
moparisthebest
today you can meet people in person, or call them, or whatever, and verify identity, that's the rock solid for people who care
moparisthebest
on the 'good enough' front, if bob from the xsf messages me, whatever, talking with him for a bit is 'good enough'
moparisthebest
I mean here I am talking with Ge0rG in an anonymous muc, he might not even be the same Ge0rG from yesterday, clearly we couldn't care less about identities in XMPP :P
Zash
People can grasp hierarchical systems, we have them everywhere, in companies and organizations. P2P and WoT is like anarchy :)
SaltyBones
Zash, actually I think WoT is very natural for people but the WoT for e-mail is not explicit enough for people to get it and it is too complicated to maintain it
SaltyBones
The bigger issue is that WoT has huge privacy issues
Ge0rG
> the root problem is how do you match a key to a person
http://web.archive.org/web/20110501005631/http://thealiceandbobsuicide.org/
SaltyBones
I think a combination of a public ledger for assigning jid<->key combined with automatic WoT verification with known users would be cool
SaltyBones
Ge0rG, indeed but if you meet the person that is rather easy to do
SaltyBones
the question is how do you distribute that information so that it is readily accessible
Ge0rG
SaltyBones: the WoT for mail is absolutely broken.
moparisthebest
the people on my contact list fall into 2 categories, 1. People I know in-person and have verified keys in-person 2. People I don't know in person so who cares
Zash
Did you just suggest a blockchain?
Ge0rG
SaltyBones: just one keyword as explanation: transitive trust.
SaltyBones
Zash, I almost certainly did not, sir!
moparisthebest
you said public ledger
andrey.ghas joined
SaltyBones
But yeah, the implication is there, but something like certificate transparency does would work as well
moparisthebest
if you trust the certificate transparency servers I guess
SaltyBones
you guess correctly
Ge0rG
the blockchain is a complex solution to a single problem of a distributed currency: double-spending.
Ge0rG
I wonder how double-spending is a problem with public identities.
moparisthebest
easy, because key X signs a message saying they own me@mydomain.com
moparisthebest
now if key Y comes along and signs they own me@mydomain.com you know it's not valid
Ge0rG
moparisthebest: how do you know that key X is legitimate?
moparisthebest
they signed it first!
Ge0rG
moparisthebest: okay, so if we have a public ledger, the first to sign a JID wins.
moparisthebest
yep
moparisthebest
first come first served
Ge0rG
how does that prevent me from signing *@xmpp.org
moparisthebest
it doesn't
moparisthebest
well * isn't valid so you'd have to sign a lot
moparisthebest
but yea
Ge0rG
So it's worthless as an identity tracking device. Good.
moparisthebest
no it'd track identity perfectly
Ge0rG
Claimed identity.
jonasw
I’d argue that you shouldn’t be able to claim something@domain, but only domain
moparisthebest
I just said earlier I think no one has solved this and it's basically impossible to solve :P
jonasw
(and then delegate claims for something@domain)
Zash
But xmpp.org is the authority over *@xmpo.org
Ge0rG
moparisthebest: so you are trying to solve a problem you think is impossible to solve?
moparisthebest
and PIR is the authority over .org and ICANN over that and US govt over that Zash , what's your point
moparisthebest
Ge0rG, nope it's solved good enough
Ge0rG
Except it's not.
Zash
moparisthebest: adding another name authority will create a mess
Ge0rG
jonasw: what you describe is the trust model of XMPP, without any need for E2EE
jonasw
Ge0rG, I admit I didn’t take a close look :)
Ge0rG
jonasw: servers are responsible for user identities on their service. XMPP.
Ge0rG
Now one _could_ add OMEMO keys in PEP on individual JIDs and encrypt-by-default, and have E2EE with server-trusted manually-verifiable identity.
bearhas left
moparisthebest
isn't that exactly how it works?
SaltyBones
I think he is missing the server-trusted...?
moparisthebest
I'm not really sure what that means then, the server doesn't need to trust anything
SaltyBones
I read it as "the server should provide trust in the identities it provides"
SaltyBones
Like signing the users keys or similar
Zash
Having the server sign user identities somehow ?
SaltyBones
Well, you could also use IBE if you want to go really crazy. :)
moparisthebest
the server does basically
moparisthebest
I mean the server should only allow those to be set from the account setting them
moparisthebest
alice@server can't set bob@server's pep nodes can she?
bearhas joined
ralphmhas left
Ge0rG
I meant that the server is trusted by default
moparisthebest
Ge0rG, uh again that's how it works now
Ge0rG
moparisthebest: in the single-device case.
SaltyBones
I don't see what this has to do with e2e
moparisthebest
Ge0rG, https://gultsch.de/trust.html
SaltyBones
If you combine that with a CONIKS like transparency approach it is actually very good.
Ge0rG
coinks sounds like a pig.
SaltyBones
if you spell it like that it sounds like COIN-X another cryptocurrency
Ge0rG
or that.
Dave Cridlandhas left
ralphmhas left
waqashas joined
jonasw
moparisthebest, didn’t you set up some ALPN test host?
jonasw
or domain?
moparisthebest
haven't set up the tests yet no, but mine requires alpn on the first record over ipv4
jonasw
I’d need something which always requires ALPN for the tests to be useful
jonasw
(I want to add that to the aioxmpp test suite)
moparisthebest
no don't have that yet sorry
jonasw
ah, pity
moparisthebest
you could use firewall rules to fake it, but then tests might only pass/fail on your machine
jonasw
yeah, I want to run that in travis CI
moparisthebest
probably easier to set up a test host yourself honestly :P
> Status - A Mobile OS, Built for Ethereum.
No further questions. I rest my case.
Zash
Objection, relevance?
Ge0rG
Bullshit Bingo Strike.
Dave Cridlandhas left
Dave Cridlandhas left
Tobiashas joined
Dave Cridlandhas left
moparisthebest
that's really all XSF is missing
moparisthebest
a marketing team full of master bullshitters
jubalhhas joined
SaltyBoneshas joined
Alexhas left
nycohas left
vanitasvitae
I read the URL like "status invests 5 minutes in riot im" :D
Steve Killehas left
moparisthebest
hey, that's the same amount I invested in riot im
SaltyBones
pfff
SaltyBones
Furthermore, the collaboration between Status and Matrix is expected to:
Utilize the Status Network token within Riot.im by enabling crypto assets
SaltyBones
they are bying influence and users
vanitasvitae
I actually tested it for a few weeks. The thing that dragged me back to xmpp/conversations was that the app could not receive messages when closed.
vanitasvitae
SaltyBones, sounds a little bit like the Telegram blockchain thingy
SaltyBones
vanitasvitae, did you test riot/matrix or whisper?
moparisthebest
I found it more confusing than any other IM app I've ever used
moparisthebest
and then I tried installing it on my wife's phone and messaging my username
vanitasvitae
SaltyBones, I tested the app from fdroid
moparisthebest
but then my IRC account on freenode got the message instead
SaltyBones
I mean, the fact that the app cannot receive messages while closed it unlikely to be a protocol restriction✎
moparisthebest
wtf
SaltyBones
I mean, the fact that the app cannot receive messages while closed is unlikely to be a protocol restriction ✏
vanitasvitae
yeah, my phone doesnt have gcm
Dave Cridlandhas left
vanitasvitae
but I gave it the same permissions I also gave conversations
jonasw
moparisthebest, wtf
Alexhas joined
moparisthebest
jonasw, well turns out they have an always on freenode gateway, so if you search 'moparisthebest' in riot.im that came up before my new username :P
moparisthebest
still was confusing before I figured it out
moparisthebest
basically would not mark it 'easy to use'
jonasw
so you can search arbitrary users on freenode in riot.im?
moparisthebest
I've never accidentally messaged someone on freenode from conversations
moparisthebest
yep
jonasw
aha.
moparisthebest
but nothing clearly said 'this is an IRC user on freenode'
edhelas
who want to write some BS articles on the XMPP blog ? then we can get some funding to buy pizzas and stickers for the next Summit ?
moparisthebest
that's the problem, we need a master BS artist, and we are (all?) programmers
edhelas
like "5 steps to transfer your BTC with XMPP", "VR over XMPP, we tested it and it's trully amazing", "You'll never guess what they've done with XMPP"
zinidhas left
edhelas
(for the last one just write how you can change the lights colors by sending <messages> :D)
jonasw
or maybe my actual thing which transports sensor data over XMPP
jonasw
and public transport departure times
jonasw
and shows it on an LCD
ralphmhas left
blablahas joined
Alexhas left
Dave Cridland
5 facts about XMPP: You'll never believe number four!
moparisthebest
is it that it uses XML
Dave Cridland
XMPP uses XML and people just can't handle it!
jonasw
There is a binary serialization of XML which is very compact!
moparisthebest
so compact that no one even uses it!
Guus
Dave, if you keep this up, I'm taking away your Facebook access again.
moparisthebest
so there are some interesting articles about XMPP and such, it just doesn't always call-out THIS IS XMPP https://motherboard.vice.com/en_us/article/595zg5/sopranica-jmp-wom-cell-network-diy-anonymous
moparisthebest
it might be neat to have an xmpp dedicated blog to talk about cool stuff being done with xmpp today, but I couldn't write articles, I'm bad with words :)
moparisthebest
here's another one https://motherboard.vice.com/en_us/article/8xm5v3/this-software-developer-is-making-a-surveillance-free-cell-phone-network (same topic)
jonasw
do we have a planet XMPP?
jonasw
like planet python
moparisthebest
maybe the xsf should just hire ossguy / Denver Gingerich to do it's marketing :)
Dave Cridlandhas left
Dave Cridlandhas left
SamWhited
We do have a planet XMPP… but I don't think anyone has used planets in years, so I'm not sure how much good it does. I don't even remember where it lives
SamWhited
jonasw: https://planet.jabber.org/
SamWhited
ossguys marketing works because he's marketing a service; the XSF doesn't have a service to market.
moparisthebest
that's basically half the problem, some of us want to market cisco's trademarked term, others don't :P
jubalhhas left
jubalhhas joined
nycohas left
SamWhited
I don't think that's a problem or matters at all; the problem is that we want to market an abstract network and ecosystem of different products. Regardless of what we call it, people aren't going to be able to grasp that and it's just going to sound too confusing.
moparisthebest
that makes sense, what about just marketing FOSS stuff that uses XMPP though
moparisthebest
jmp.chat being one example of many
SamWhited
Yah, that seems good to me. People can grasp what jmp.chat or Conversations.im is; they don't need to know the protocol, just that there's a cool new chat service
SamWhited
And maybe somewhere it has an "XMPP Certified" or "Jabber Compatible" badge or something along those lines; most people won't care, those that do can find it.
pep.has left
Dave Cridlandhas left
blablahas left
jubalhhas joined
ralphmhas joined
blablahas joined
Alexhas joined
lovetoxhas left
lovetoxhas joined
Dave Cridlandhas left
sezuanhas joined
ralphmhas joined
SamWhitedhas joined
lskdjfhas joined
SamWhited
Guus, Kev: I just noticed some XEPs that shouldn't be in the list and the website build appears to have failed 4 days ago and not run since then, FYI
Kev
Ta. something for after the summit, I think.
Ge0rG
SamWhited: "Jabber Compatible" is what we need a new Jabber Software Alliance for!
Zash
No, first we need a funny backronym and a shiny website and a billion dolares in marketing budget
Guus
Sam, I'm not understanding the details of what you're writing. I'm missing a comma, somewhere, I thnk :)
Ge0rG
Zash: we are full of "funny" backronyms, like SCAM. And nobody is going to give us billions, nor even millions of dollars.
Ge0rG
Maybe we can make a JabberCoin ICO.
SamWhited
Guus: sorry, that was confusing. The website hasn't been rebuilt for 4 days so the /extensions list is not up to date.
SamWhited: it's building now. For future reference: it should pick up any change in github (so you can trigger it by committing something). It should also be triggered by a successful build of the XEPs repo.
SamWhited
oh, I should have thought of that, thanks
Guus
(or rather, github pushes to XEPs will cause the XEPs dockerhub to kick off, which in turn will kick off the website one)
SamWhited
I just made a change, so I guess that would have rebuilt it soon anyways
Guus
ah, probably. I've now only delayed your change by triggering a manual build.
jjrh
A weekly "whats going on in XMPP" would be cool sorta like http://sachachua.com/blog/2018/01/2018-01-23-emacs-news/
jjrh
But I feel like that would have already happened if someone had the time.
jjrh
I have planet jabber in my rss reader though and it picks up a lot of stuff. It misses is what's happening in XSF-Standards that I gotta actually read my email ;)
ralphmhas joined
edhelas
jjrh you should have Planet Jabber in your Pubsub feed reader :p
edhelas
you know "eat your own food" :p
jjrh
edhelas, any client recommendations?
edhelas
Movim :)
jjrh
I'll have to try it out.
edhelas
just wait ~10min, i've added the feed, it will appears soon
edhelas
but there's already a bunch of them :
edhelas
https://nl.movim.eu/?node/news.movim.eu/ArsTechnica for example
jjrh
so they are called 'communities' ?
edhelas
yup :)
edhelas
because "Pubsub Node" is too mainstream
jjrh
Gajim apparently has pubsub support but I never really figured out how to make it work.
ralphmhas joined
jjrh
Thought it would be good for stuff like notifications/alerts and the like for the office. Better than spamming the group chat with a bot :P Folks can easily opt in or out
SaltyBoneshas left
jjrh
https://de.movim.eu/?community/news.movim.eu/PlanetJabber there it is :D
Alexhas left
Guushas left
ralphmhas joined
edhelas
:)
Tobiashas joined
tuxhas joined
jubalhhas joined
ralphmhas joined
remkohas left
moparisthebesthas left
tuxhas joined
goffihas left
lumihas left
lumihas joined
zinidhas left
Alexhas joined
Neustradamushas left
Neustradamushas joined
jubalhhas left
Guushas left
SaltyBoneshas joined
Neustradamus
Any news about clients and servers removed on XMPP.org lists?
Neustradamus
"After a verification on xmpp.org, I found that the list has been changed, in the past when I managed the list, it will be more important.
Psi and Psi+ have not in list, why?
https://xmpp.org/software/clients.html
http://psi-im.org/ + http://psi-plus.com/
Really strange for historical XMPP clients
Metronome is not listed too on https://xmpp.org/software/servers.html
https://metronome.im/
It was before ;)"
moparisthebest
Neustradamus: they need renewed annually or get removed automatically
Neustradamus
moparisthebest thanks for your reply! it is strange