XSF Discussion - 2018-01-29

For those that want to attend the Summit, and have not yet send me their email address: _please do so now_. It's needed to generate a wifi code, as well as building access.

https://news.ycombinator.com/item?id=16257073 - zero xmpp.

Ge0rG, first post is pidgin/adium + OTR, which includes xmpp

Right, which is a set of broken and outdated things.

Ge0rG, you can reply recommending XMPP then :D

SouL: oh, yes. Which one of the horrible desktop clients shall I recommend?

Ge0rG, tell them that e2e is useless anyways

I thought that’s your speciality? :)

Doesn't any mention of XMPP just attract hordes of pro-Matrix trolls?

that it does

jonasw: I only hate E2EE over XMPP, because it doesn't match the comms model of XMPP in any reasonable way

Ge0rG, why not? Because it is not multi-device?

SaltyBones: because it's absolutely decoupled from the XMPP identity model.

Ge0rG, but that is rather common isn't it?

Or do you mean something like in GPG where a key specifies the e-mail address it is for?

SaltyBones: not in protocols where e2ee is a first class citizen

SaltyBones: no, I mean things like tox where your public key is your ID

I haven't used Tox, but that sounds like GPG levels of unusability…

SamWhited: take Briar, then.

As long as I don't have to remember a key then I'll take just about anything

All hail the great Zooko

jonasw: thanks very much. XMPP is the crypto protocol that only checks off one of the three points.

Ge0rG, a key being inseperable from an identity isn't great either, I lose my phone, and suddenly have to let all contacts know? ew

moparisthebest: only if you define key as being the same as phone.

how else could you define it

Run your own CA

moparisthebest: in a dozen of other ways :P

how about you have a well defined account name, maybe in the format of local@domain, and then verify keys out of band? :D

moparisthebest: that's great, except it doesn't give any strong binding between your identity and your keys.

it does if you verify it out of band

moparisthebest: in which case you can as well have cryptographic identities

Who verifies it?

user, if they want

my only point is both have upsides and downsides, the upside of xmpp being everything else just works and you don't have to reinvent the wheel

except that not everything works in XMPP

better than reinventing the wheel

And E2EE is actively making things worse for me now. Messages only showing up on my phone :(

Zash: what? If only somebody could have warned you!

another reason identity-tied-to-key is worse, now you lose multi device support

+1

that's just something that can be approved, rather than each user manually trusting all device keys of a contact, once they trust one, they could trust all others based on a signature from the one they trusted

s/approved/improved/

moparisthebest: exactly my point

what is

strapping a per-device crypto identity on top of a federated per-account identity is just not going to work. full stop.

no, it'll work just fine

sure it's not ideal today, but all the building blocks are there to make it ideal

moparisthebest: the building blocks are there to make it barely usable.

my point is strapping per-device crypto identity mixed with identity-per-contact is unusable with multi device

Yes.

so the xmpp approach is clearly better

looks like we are saying the same.

Wait.

Ge0rG: It might work but it'll be a hack.

moparisthebest: what you just described as unusable _is_ the XMPP approach.

Model conflicts all over

no

what you said is ideal, the key *is* your identity

is not compatible with multiple devices

moparisthebest: you can export the key.

do any current systems work that way?

I surely hope so.

I seriously doubt it, if you are routing based on key not quite sure how you route to 2 different places

sounds hard

moparisthebest: either all of your devices use the same identity key, or you have device keys that are all maintained under your identity key.

by the way, it doesn't actually solve any problem, before you had a *name* and have to out-of-band ensure it matches a *key*

and now you have a *key* and can't match it to a *name*

how is it different?

The direction of authority in XMPP is from DNS to servers to accounts to clients. E2E wants it in the other direction, sorta

it's not that straightforward anymore when you add DNSSEC and CAs either

the root problem is how do you match a key to a person

and, iirc, that's not solved in any system

That's a hard problem

It's just impractical to solve in the real world

It's a nice technical challenge for ideological geeks

When everyone learns to do cryptographic signature algorithms in their heads then maybe

and then SHA256 gets broken

the best we can do is 'good enough' for most people and 'rock solid' for the people who really care, which I think is basically what we have

Then having users as the root of trust might work

I like ideas like certificate transparency and CONIKS

combining that with some good old WoT and a nice scan-barcode-to-verify should actually be pretty good

today you can meet people in person, or call them, or whatever, and verify identity, that's the rock solid for people who care

on the 'good enough' front, if bob from the xsf messages me, whatever, talking with him for a bit is 'good enough'

I mean here I am talking with Ge0rG in an anonymous muc, he might not even be the same Ge0rG from yesterday, clearly we couldn't care less about identities in XMPP :P

People can grasp hierarchical systems, we have them everywhere, in companies and organizations. P2P and WoT is like anarchy :)

Zash, actually I think WoT is very natural for people but the WoT for e-mail is not explicit enough for people to get it and it is too complicated to maintain it

The bigger issue is that WoT has huge privacy issues

> the root problem is how do you match a key to a person http://web.archive.org/web/20110501005631/http://thealiceandbobsuicide.org/

I think a combination of a public ledger for assigning jid<->key combined with automatic WoT verification with known users would be cool

Ge0rG, indeed but if you meet the person that is rather easy to do

the question is how do you distribute that information so that it is readily accessible

SaltyBones: the WoT for mail is absolutely broken.

the people on my contact list fall into 2 categories, 1. People I know in-person and have verified keys in-person 2. People I don't know in person so who cares

Did you just suggest a blockchain?

SaltyBones: just one keyword as explanation: transitive trust.

Zash, I almost certainly did not, sir!

you said public ledger

But yeah, the implication is there, but something like certificate transparency does would work as well

if you trust the certificate transparency servers I guess

you guess correctly

the blockchain is a complex solution to a single problem of a distributed currency: double-spending.

I wonder how double-spending is a problem with public identities.

easy, because key X signs a message saying they own me@mydomain.com

now if key Y comes along and signs they own me@mydomain.com you know it's not valid

moparisthebest: how do you know that key X is legitimate?

they signed it first!

moparisthebest: okay, so if we have a public ledger, the first to sign a JID wins.

yep

first come first served

how does that prevent me from signing *@xmpp.org

it doesn't

well * isn't valid so you'd have to sign a lot

but yea

So it's worthless as an identity tracking device. Good.

no it'd track identity perfectly

Claimed identity.

I’d argue that you shouldn’t be able to claim something@domain, but only domain

I just said earlier I think no one has solved this and it's basically impossible to solve :P

(and then delegate claims for something@domain)

But xmpp.org is the authority over *@xmpo.org

moparisthebest: so you are trying to solve a problem you think is impossible to solve?

and PIR is the authority over .org and ICANN over that and US govt over that Zash , what's your point

Ge0rG, nope it's solved good enough

Except it's not.

moparisthebest: adding another name authority will create a mess

jonasw: what you describe is the trust model of XMPP, without any need for E2EE

Ge0rG, I admit I didn’t take a close look :)

jonasw: servers are responsible for user identities on their service. XMPP.

Now one _could_ add OMEMO keys in PEP on individual JIDs and encrypt-by-default, and have E2EE with server-trusted manually-verifiable identity.

isn't that exactly how it works?

I think he is missing the server-trusted...?

I'm not really sure what that means then, the server doesn't need to trust anything

I read it as "the server should provide trust in the identities it provides"

Like signing the users keys or similar

Having the server sign user identities somehow ?

Well, you could also use IBE if you want to go really crazy. :)

the server does basically

I mean the server should only allow those to be set from the account setting them

alice@server can't set bob@server's pep nodes can she?

I meant that the server is trusted by default

Ge0rG, uh again that's how it works now

moparisthebest: in the single-device case.

I don't see what this has to do with e2e

Ge0rG, https://gultsch.de/trust.html

If you combine that with a CONIKS like transparency approach it is actually very good.

coinks sounds like a pig.

if you spell it like that it sounds like COIN-X another cryptocurrency

or that.

moparisthebest, didn’t you set up some ALPN test host?

or domain?

haven't set up the tests yet no, but mine requires alpn on the first record over ipv4

I’d need something which always requires ALPN for the tests to be useful

(I want to add that to the aioxmpp test suite)

no don't have that yet sorry

ah, pity

you could use firewall rules to fake it, but then tests might only pass/fail on your machine

yeah, I want to run that in travis CI

probably easier to set up a test host yourself honestly :P

Can openssl s_server?

https://blog.status.im/status-invests-5m-in-riot-im-4e3026a8bd50

> Status - A Mobile OS, Built for Ethereum. No further questions. I rest my case.

Objection, relevance?

Bullshit Bingo Strike.

that's really all XSF is missing

a marketing team full of master bullshitters

I read the URL like "status invests 5 minutes in riot im" :D

hey, that's the same amount I invested in riot im

pfff

Furthermore, the collaboration between Status and Matrix is expected to: Utilize the Status Network token within Riot.im by enabling crypto assets

they are bying influence and users

I actually tested it for a few weeks. The thing that dragged me back to xmpp/conversations was that the app could not receive messages when closed.

SaltyBones, sounds a little bit like the Telegram blockchain thingy

vanitasvitae, did you test riot/matrix or whisper?

I found it more confusing than any other IM app I've ever used

and then I tried installing it on my wife's phone and messaging my username

SaltyBones, I tested the app from fdroid

but then my IRC account on freenode got the message instead

wtf

I mean, the fact that the app cannot receive messages while closed is unlikely to be a protocol restriction ✏

yeah, my phone doesnt have gcm

but I gave it the same permissions I also gave conversations

moparisthebest, wtf

jonasw, well turns out they have an always on freenode gateway, so if you search 'moparisthebest' in riot.im that came up before my new username :P

still was confusing before I figured it out

basically would not mark it 'easy to use'

so you can search arbitrary users on freenode in riot.im?

I've never accidentally messaged someone on freenode from conversations

yep

aha.

but nothing clearly said 'this is an IRC user on freenode'

who want to write some BS articles on the XMPP blog ? then we can get some funding to buy pizzas and stickers for the next Summit ?

that's the problem, we need a master BS artist, and we are (all?) programmers

like "5 steps to transfer your BTC with XMPP", "VR over XMPP, we tested it and it's trully amazing", "You'll never guess what they've done with XMPP"

(for the last one just write how you can change the lights colors by sending <messages> :D)

or maybe my actual thing which transports sensor data over XMPP

and public transport departure times

and shows it on an LCD

5 facts about XMPP: You'll never believe number four!

is it that it uses XML

XMPP uses XML and people just can't handle it!

There is a binary serialization of XML which is very compact!

so compact that no one even uses it!

Dave, if you keep this up, I'm taking away your Facebook access again.

so there are some interesting articles about XMPP and such, it just doesn't always call-out THIS IS XMPP https://motherboard.vice.com/en_us/article/595zg5/sopranica-jmp-wom-cell-network-diy-anonymous

it might be neat to have an xmpp dedicated blog to talk about cool stuff being done with xmpp today, but I couldn't write articles, I'm bad with words :)

here's another one https://motherboard.vice.com/en_us/article/8xm5v3/this-software-developer-is-making-a-surveillance-free-cell-phone-network (same topic)

do we have a planet XMPP?

like planet python

maybe the xsf should just hire ossguy / Denver Gingerich to do it's marketing :)

We do have a planet XMPP… but I don't think anyone has used planets in years, so I'm not sure how much good it does. I don't even remember where it lives

jonasw: https://planet.jabber.org/

ossguys marketing works because he's marketing a service; the XSF doesn't have a service to market.

that's basically half the problem, some of us want to market cisco's trademarked term, others don't :P

I don't think that's a problem or matters at all; the problem is that we want to market an abstract network and ecosystem of different products. Regardless of what we call it, people aren't going to be able to grasp that and it's just going to sound too confusing.

that makes sense, what about just marketing FOSS stuff that uses XMPP though

jmp.chat being one example of many

Yah, that seems good to me. People can grasp what jmp.chat or Conversations.im is; they don't need to know the protocol, just that there's a cool new chat service

And maybe somewhere it has an "XMPP Certified" or "Jabber Compatible" badge or something along those lines; most people won't care, those that do can find it.

Guus, Kev: I just noticed some XEPs that shouldn't be in the list and the website build appears to have failed 4 days ago and not run since then, FYI

Ta. something for after the summit, I think.

SamWhited: "Jabber Compatible" is what we need a new Jabber Software Alliance for!

No, first we need a funny backronym and a shiny website and a billion dolares in marketing budget

Sam, I'm not understanding the details of what you're writing. I'm missing a comma, somewhere, I thnk :)

Zash: we are full of "funny" backronyms, like SCAM. And nobody is going to give us billions, nor even millions of dollars.

Maybe we can make a JabberCoin ICO.

Guus: sorry, that was confusing. The website hasn't been rebuilt for 4 days so the /extensions list is not up to date.

Guus: https://hub.docker.com/r/xmppxsf/xmpp.org/builds/ba3edxw2vyssrdcnovd6gps/

that's light on details :/

I can try to kick it off again?

sounds good, thanks

SamWhited: it's building now. For future reference: it should pick up any change in github (so you can trigger it by committing something). It should also be triggered by a successful build of the XEPs repo.

oh, I should have thought of that, thanks

(or rather, github pushes to XEPs will cause the XEPs dockerhub to kick off, which in turn will kick off the website one)

I just made a change, so I guess that would have rebuilt it soon anyways

ah, probably. I've now only delayed your change by triggering a manual build.

A weekly "whats going on in XMPP" would be cool sorta like http://sachachua.com/blog/2018/01/2018-01-23-emacs-news/

But I feel like that would have already happened if someone had the time.

I have planet jabber in my rss reader though and it picks up a lot of stuff. It misses is what's happening in XSF-Standards that I gotta actually read my email ;)

jjrh you should have Planet Jabber in your Pubsub feed reader :p

you know "eat your own food" :p

edhelas, any client recommendations?

Movim :)

I'll have to try it out.

just wait ~10min, i've added the feed, it will appears soon

but there's already a bunch of them :

https://nl.movim.eu/?node/news.movim.eu/ArsTechnica for example

so they are called 'communities' ?

yup :)

because "Pubsub Node" is too mainstream

Gajim apparently has pubsub support but I never really figured out how to make it work.

Thought it would be good for stuff like notifications/alerts and the like for the office. Better than spamming the group chat with a bot :P Folks can easily opt in or out

https://de.movim.eu/?community/news.movim.eu/PlanetJabber there it is :D

:)

Any news about clients and servers removed on XMPP.org lists?

"After a verification on xmpp.org, I found that the list has been changed, in the past when I managed the list, it will be more important. Psi and Psi+ have not in list, why? https://xmpp.org/software/clients.html http://psi-im.org/ + http://psi-plus.com/ Really strange for historical XMPP clients Metronome is not listed too on https://xmpp.org/software/servers.html https://metronome.im/ It was before ;)"

Neustradamus: they need renewed annually or get removed automatically

moparisthebest thanks for your reply! it is strange