-
Guus
For those that want to attend the Summit, and have not yet send me their email address: _please do so now_. It's needed to generate a wifi code, as well as building access.
-
Ge0rG
https://news.ycombinator.com/item?id=16257073 - zero xmpp.
-
mathieui
Ge0rG, first post is pidgin/adium + OTR, which includes xmpp
-
Ge0rG
Right, which is a set of broken and outdated things.
-
SouL
Ge0rG, you can reply recommending XMPP then :D
-
Ge0rG
SouL: oh, yes. Which one of the horrible desktop clients shall I recommend?
-
jonasw
Ge0rG, tell them that e2e is useless anyways
-
jonasw
I thought that’s your speciality? :)
-
Zash
Doesn't any mention of XMPP just attract hordes of pro-Matrix trolls?
-
mathieui
that it does
-
Ge0rG
jonasw: I only hate E2EE over XMPP, because it doesn't match the comms model of XMPP in any reasonable way
-
SaltyBones
Ge0rG, why not? Because it is not multi-device?
-
Ge0rG
SaltyBones: because it's absolutely decoupled from the XMPP identity model.
-
SaltyBones
Ge0rG, but that is rather common isn't it?
-
SaltyBones
Or do you mean something like in GPG where a key specifies the e-mail address it is for?
-
Ge0rG
SaltyBones: not in protocols where e2ee is a first class citizen
-
Ge0rG
SaltyBones: no, I mean things like tox where your public key is your ID
-
SamWhited
I haven't used Tox, but that sounds like GPG levels of unusability…
-
Ge0rG
SamWhited: take Briar, then.
- jonasw invokes Zookos Triangle
-
SamWhited
As long as I don't have to remember a key then I'll take just about anything
-
Zash
All hail the great Zooko
-
Ge0rG
jonasw: thanks very much. XMPP is the crypto protocol that only checks off one of the three points.
-
moparisthebest
Ge0rG, a key being inseperable from an identity isn't great either, I lose my phone, and suddenly have to let all contacts know? ew
-
Ge0rG
moparisthebest: only if you define key as being the same as phone.
-
moparisthebest
how else could you define it
-
Zash
Run your own CA
-
Ge0rG
moparisthebest: in a dozen of other ways :P
-
moparisthebest
how about you have a well defined account name, maybe in the format of local@domain, and then verify keys out of band? :D
-
Ge0rG
moparisthebest: that's great, except it doesn't give any strong binding between your identity and your keys.
-
moparisthebest
it does if you verify it out of band
-
Ge0rG
moparisthebest: in which case you can as well have cryptographic identities
-
Zash
Who verifies it?
-
moparisthebest
user, if they want
-
moparisthebest
my only point is both have upsides and downsides, the upside of xmpp being everything else just works and you don't have to reinvent the wheel
-
Ge0rG
except that not everything works in XMPP
-
moparisthebest
better than reinventing the wheel
-
Zash
And E2EE is actively making things worse for me now. Messages only showing up on my phone :(
-
Ge0rG
Zash: what? If only somebody could have warned you!
-
moparisthebest
another reason identity-tied-to-key is worse, now you lose multi device support
-
MattJ
+1
-
moparisthebest
that's just something that can be approved, rather than each user manually trusting all device keys of a contact, once they trust one, they could trust all others based on a signature from the one they trusted
-
moparisthebest
s/approved/improved/
-
Ge0rG
moparisthebest: exactly my point
-
moparisthebest
what is
-
Ge0rG
strapping a per-device crypto identity on top of a federated per-account identity is just not going to work. full stop.
-
moparisthebest
no, it'll work just fine
-
moparisthebest
sure it's not ideal today, but all the building blocks are there to make it ideal
-
Ge0rG
moparisthebest: the building blocks are there to make it barely usable.
-
moparisthebest
my point is strapping per-device crypto identity mixed with identity-per-contact is unusable with multi device
-
Ge0rG
Yes.
-
moparisthebest
so the xmpp approach is clearly better
-
Ge0rG
looks like we are saying the same.
-
Ge0rG
Wait.
-
Zash
Ge0rG: It might work but it'll be a hack.
-
Ge0rG
moparisthebest: what you just described as unusable _is_ the XMPP approach.
-
Zash
Model conflicts all over
-
moparisthebest
no
-
moparisthebest
what you said is ideal, the key *is* your identity
-
moparisthebest
is not compatible with multiple devices
-
Ge0rG
moparisthebest: you can export the key.
-
moparisthebest
do any current systems work that way?
-
Ge0rG
I surely hope so.
-
moparisthebest
I seriously doubt it, if you are routing based on key not quite sure how you route to 2 different places
-
moparisthebest
sounds hard
-
Ge0rG
moparisthebest: either all of your devices use the same identity key, or you have device keys that are all maintained under your identity key.
-
moparisthebest
by the way, it doesn't actually solve any problem, before you had a *name* and have to out-of-band ensure it matches a *key*
-
moparisthebest
and now you have a *key* and can't match it to a *name*
-
moparisthebest
how is it different?
-
Zash
The direction of authority in XMPP is from DNS to servers to accounts to clients. E2E wants it in the other direction, sorta
-
moparisthebest
it's not that straightforward anymore when you add DNSSEC and CAs either
-
moparisthebest
the root problem is how do you match a key to a person
-
moparisthebest
and, iirc, that's not solved in any system
-
Zash
That's a hard problem
-
MattJ
It's just impractical to solve in the real world
-
MattJ
It's a nice technical challenge for ideological geeks
-
Zash
When everyone learns to do cryptographic signature algorithms in their heads then maybe
-
MattJ
and then SHA256 gets broken
-
moparisthebest
the best we can do is 'good enough' for most people and 'rock solid' for the people who really care, which I think is basically what we have
-
Zash
Then having users as the root of trust might work
-
SaltyBones
I like ideas like certificate transparency and CONIKS
-
SaltyBones
combining that with some good old WoT and a nice scan-barcode-to-verify should actually be pretty good
-
moparisthebest
today you can meet people in person, or call them, or whatever, and verify identity, that's the rock solid for people who care
-
moparisthebest
on the 'good enough' front, if bob from the xsf messages me, whatever, talking with him for a bit is 'good enough'
-
moparisthebest
I mean here I am talking with Ge0rG in an anonymous muc, he might not even be the same Ge0rG from yesterday, clearly we couldn't care less about identities in XMPP :P
-
Zash
People can grasp hierarchical systems, we have them everywhere, in companies and organizations. P2P and WoT is like anarchy :)
-
SaltyBones
Zash, actually I think WoT is very natural for people but the WoT for e-mail is not explicit enough for people to get it and it is too complicated to maintain it
-
SaltyBones
The bigger issue is that WoT has huge privacy issues
-
Ge0rG
> the root problem is how do you match a key to a person http://web.archive.org/web/20110501005631/http://thealiceandbobsuicide.org/
-
SaltyBones
I think a combination of a public ledger for assigning jid<->key combined with automatic WoT verification with known users would be cool
-
SaltyBones
Ge0rG, indeed but if you meet the person that is rather easy to do
-
SaltyBones
the question is how do you distribute that information so that it is readily accessible
-
Ge0rG
SaltyBones: the WoT for mail is absolutely broken.
-
moparisthebest
the people on my contact list fall into 2 categories, 1. People I know in-person and have verified keys in-person 2. People I don't know in person so who cares
-
Zash
Did you just suggest a blockchain?
-
Ge0rG
SaltyBones: just one keyword as explanation: transitive trust.
-
SaltyBones
Zash, I almost certainly did not, sir!
-
moparisthebest
you said public ledger
-
SaltyBones
But yeah, the implication is there, but something like certificate transparency does would work as well
-
moparisthebest
if you trust the certificate transparency servers I guess
-
SaltyBones
you guess correctly
-
Ge0rG
the blockchain is a complex solution to a single problem of a distributed currency: double-spending.
-
Ge0rG
I wonder how double-spending is a problem with public identities.
-
moparisthebest
easy, because key X signs a message saying they own me@mydomain.com
-
moparisthebest
now if key Y comes along and signs they own me@mydomain.com you know it's not valid
-
Ge0rG
moparisthebest: how do you know that key X is legitimate?
-
moparisthebest
they signed it first!
-
Ge0rG
moparisthebest: okay, so if we have a public ledger, the first to sign a JID wins.
-
moparisthebest
yep
-
moparisthebest
first come first served
-
Ge0rG
how does that prevent me from signing *@xmpp.org
-
moparisthebest
it doesn't
-
moparisthebest
well * isn't valid so you'd have to sign a lot
-
moparisthebest
but yea
-
Ge0rG
So it's worthless as an identity tracking device. Good.
-
moparisthebest
no it'd track identity perfectly
-
Ge0rG
Claimed identity.
-
jonasw
I’d argue that you shouldn’t be able to claim something@domain, but only domain
-
moparisthebest
I just said earlier I think no one has solved this and it's basically impossible to solve :P
-
jonasw
(and then delegate claims for something@domain)
-
Zash
But xmpp.org is the authority over *@xmpo.org
-
Ge0rG
moparisthebest: so you are trying to solve a problem you think is impossible to solve?
-
moparisthebest
and PIR is the authority over .org and ICANN over that and US govt over that Zash , what's your point
-
moparisthebest
Ge0rG, nope it's solved good enough
-
Ge0rG
Except it's not.
-
Zash
moparisthebest: adding another name authority will create a mess
-
Ge0rG
jonasw: what you describe is the trust model of XMPP, without any need for E2EE
-
jonasw
Ge0rG, I admit I didn’t take a close look :)
-
Ge0rG
jonasw: servers are responsible for user identities on their service. XMPP.
-
Ge0rG
Now one _could_ add OMEMO keys in PEP on individual JIDs and encrypt-by-default, and have E2EE with server-trusted manually-verifiable identity.
-
moparisthebest
isn't that exactly how it works?
-
SaltyBones
I think he is missing the server-trusted...?
-
moparisthebest
I'm not really sure what that means then, the server doesn't need to trust anything
-
SaltyBones
I read it as "the server should provide trust in the identities it provides"
-
SaltyBones
Like signing the users keys or similar
-
Zash
Having the server sign user identities somehow ?
-
SaltyBones
Well, you could also use IBE if you want to go really crazy. :)
-
moparisthebest
the server does basically
-
moparisthebest
I mean the server should only allow those to be set from the account setting them
-
moparisthebest
alice@server can't set bob@server's pep nodes can she?
-
Ge0rG
I meant that the server is trusted by default
-
moparisthebest
Ge0rG, uh again that's how it works now
-
Ge0rG
moparisthebest: in the single-device case.
-
SaltyBones
I don't see what this has to do with e2e
-
moparisthebest
Ge0rG, https://gultsch.de/trust.html
-
SaltyBones
If you combine that with a CONIKS like transparency approach it is actually very good.
-
Ge0rG
coinks sounds like a pig.
-
SaltyBones
if you spell it like that it sounds like COIN-X another cryptocurrency
-
Ge0rG
or that.
-
jonasw
moparisthebest, didn’t you set up some ALPN test host?
-
jonasw
or domain?
-
moparisthebest
haven't set up the tests yet no, but mine requires alpn on the first record over ipv4
-
jonasw
I’d need something which always requires ALPN for the tests to be useful
-
jonasw
(I want to add that to the aioxmpp test suite)
-
moparisthebest
no don't have that yet sorry
-
jonasw
ah, pity
-
moparisthebest
you could use firewall rules to fake it, but then tests might only pass/fail on your machine
-
jonasw
yeah, I want to run that in travis CI
-
moparisthebest
probably easier to set up a test host yourself honestly :P
-
Zash
Can openssl s_server?
-
edhelas
https://blog.status.im/status-invests-5m-in-riot-im-4e3026a8bd50
-
Ge0rG
> Status - A Mobile OS, Built for Ethereum. No further questions. I rest my case.
-
Zash
Objection, relevance?
-
Ge0rG
Bullshit Bingo Strike.
-
moparisthebest
that's really all XSF is missing
-
moparisthebest
a marketing team full of master bullshitters
-
vanitasvitae
I read the URL like "status invests 5 minutes in riot im" :D
-
moparisthebest
hey, that's the same amount I invested in riot im
-
SaltyBones
pfff
-
SaltyBones
Furthermore, the collaboration between Status and Matrix is expected to: Utilize the Status Network token within Riot.im by enabling crypto assets
-
SaltyBones
they are bying influence and users
-
vanitasvitae
I actually tested it for a few weeks. The thing that dragged me back to xmpp/conversations was that the app could not receive messages when closed.
-
vanitasvitae
SaltyBones, sounds a little bit like the Telegram blockchain thingy
-
SaltyBones
vanitasvitae, did you test riot/matrix or whisper?
-
moparisthebest
I found it more confusing than any other IM app I've ever used
-
moparisthebest
and then I tried installing it on my wife's phone and messaging my username
-
vanitasvitae
SaltyBones, I tested the app from fdroid
-
moparisthebest
but then my IRC account on freenode got the message instead
-
SaltyBones
I mean, the fact that the app cannot receive messages while closed it unlikely to be a protocol restriction✎ -
moparisthebest
wtf
-
SaltyBones
I mean, the fact that the app cannot receive messages while closed is unlikely to be a protocol restriction ✏
-
vanitasvitae
yeah, my phone doesnt have gcm
-
vanitasvitae
but I gave it the same permissions I also gave conversations
-
jonasw
moparisthebest, wtf
-
moparisthebest
jonasw, well turns out they have an always on freenode gateway, so if you search 'moparisthebest' in riot.im that came up before my new username :P
-
moparisthebest
still was confusing before I figured it out
-
moparisthebest
basically would not mark it 'easy to use'
-
jonasw
so you can search arbitrary users on freenode in riot.im?
-
moparisthebest
I've never accidentally messaged someone on freenode from conversations
-
moparisthebest
yep
-
jonasw
aha.
-
moparisthebest
but nothing clearly said 'this is an IRC user on freenode'
-
edhelas
who want to write some BS articles on the XMPP blog ? then we can get some funding to buy pizzas and stickers for the next Summit ?
-
moparisthebest
that's the problem, we need a master BS artist, and we are (all?) programmers
-
edhelas
like "5 steps to transfer your BTC with XMPP", "VR over XMPP, we tested it and it's trully amazing", "You'll never guess what they've done with XMPP"
-
edhelas
(for the last one just write how you can change the lights colors by sending <messages> :D)
-
jonasw
or maybe my actual thing which transports sensor data over XMPP
-
jonasw
and public transport departure times
-
jonasw
and shows it on an LCD
-
Dave Cridland
5 facts about XMPP: You'll never believe number four!
-
moparisthebest
is it that it uses XML
-
Dave Cridland
XMPP uses XML and people just can't handle it!
-
jonasw
There is a binary serialization of XML which is very compact!
-
moparisthebest
so compact that no one even uses it!
-
Guus
Dave, if you keep this up, I'm taking away your Facebook access again.
-
moparisthebest
so there are some interesting articles about XMPP and such, it just doesn't always call-out THIS IS XMPP https://motherboard.vice.com/en_us/article/595zg5/sopranica-jmp-wom-cell-network-diy-anonymous
-
moparisthebest
it might be neat to have an xmpp dedicated blog to talk about cool stuff being done with xmpp today, but I couldn't write articles, I'm bad with words :)
-
moparisthebest
here's another one https://motherboard.vice.com/en_us/article/8xm5v3/this-software-developer-is-making-a-surveillance-free-cell-phone-network (same topic)
-
jonasw
do we have a planet XMPP?
-
jonasw
like planet python
-
moparisthebest
maybe the xsf should just hire ossguy / Denver Gingerich to do it's marketing :)
-
SamWhited
We do have a planet XMPP… but I don't think anyone has used planets in years, so I'm not sure how much good it does. I don't even remember where it lives
-
SamWhited
jonasw: https://planet.jabber.org/
-
SamWhited
ossguys marketing works because he's marketing a service; the XSF doesn't have a service to market.
-
moparisthebest
that's basically half the problem, some of us want to market cisco's trademarked term, others don't :P
-
SamWhited
I don't think that's a problem or matters at all; the problem is that we want to market an abstract network and ecosystem of different products. Regardless of what we call it, people aren't going to be able to grasp that and it's just going to sound too confusing.
-
moparisthebest
that makes sense, what about just marketing FOSS stuff that uses XMPP though
-
moparisthebest
jmp.chat being one example of many
-
SamWhited
Yah, that seems good to me. People can grasp what jmp.chat or Conversations.im is; they don't need to know the protocol, just that there's a cool new chat service
-
SamWhited
And maybe somewhere it has an "XMPP Certified" or "Jabber Compatible" badge or something along those lines; most people won't care, those that do can find it.
-
SamWhited
Guus, Kev: I just noticed some XEPs that shouldn't be in the list and the website build appears to have failed 4 days ago and not run since then, FYI
-
Kev
Ta. something for after the summit, I think.
-
Ge0rG
SamWhited: "Jabber Compatible" is what we need a new Jabber Software Alliance for!
-
Zash
No, first we need a funny backronym and a shiny website and a billion dolares in marketing budget
-
Guus
Sam, I'm not understanding the details of what you're writing. I'm missing a comma, somewhere, I thnk :)
-
Ge0rG
Zash: we are full of "funny" backronyms, like SCAM. And nobody is going to give us billions, nor even millions of dollars.
-
Ge0rG
Maybe we can make a JabberCoin ICO.
-
SamWhited
Guus: sorry, that was confusing. The website hasn't been rebuilt for 4 days so the /extensions list is not up to date.
-
SamWhited
Guus: https://hub.docker.com/r/xmppxsf/xmpp.org/builds/ba3edxw2vyssrdcnovd6gps/
-
Guus
that's light on details :/
-
Guus
I can try to kick it off again?
-
SamWhited
sounds good, thanks
-
Guus
SamWhited: it's building now. For future reference: it should pick up any change in github (so you can trigger it by committing something). It should also be triggered by a successful build of the XEPs repo.
-
SamWhited
oh, I should have thought of that, thanks
-
Guus
(or rather, github pushes to XEPs will cause the XEPs dockerhub to kick off, which in turn will kick off the website one)
-
SamWhited
I just made a change, so I guess that would have rebuilt it soon anyways
-
Guus
ah, probably. I've now only delayed your change by triggering a manual build.
-
jjrh
A weekly "whats going on in XMPP" would be cool sorta like http://sachachua.com/blog/2018/01/2018-01-23-emacs-news/
-
jjrh
But I feel like that would have already happened if someone had the time.
-
jjrh
I have planet jabber in my rss reader though and it picks up a lot of stuff. It misses is what's happening in XSF-Standards that I gotta actually read my email ;)
-
edhelas
jjrh you should have Planet Jabber in your Pubsub feed reader :p
-
edhelas
you know "eat your own food" :p
-
jjrh
edhelas, any client recommendations?
-
edhelas
Movim :)
-
jjrh
I'll have to try it out.
-
edhelas
just wait ~10min, i've added the feed, it will appears soon
-
edhelas
but there's already a bunch of them :
-
edhelas
https://nl.movim.eu/?node/news.movim.eu/ArsTechnica for example
-
jjrh
so they are called 'communities' ?
-
edhelas
yup :)
-
edhelas
because "Pubsub Node" is too mainstream
-
jjrh
Gajim apparently has pubsub support but I never really figured out how to make it work.
-
jjrh
Thought it would be good for stuff like notifications/alerts and the like for the office. Better than spamming the group chat with a bot :P Folks can easily opt in or out
-
jjrh
https://de.movim.eu/?community/news.movim.eu/PlanetJabber there it is :D
-
edhelas
:)
-
Neustradamus
Any news about clients and servers removed on XMPP.org lists?
-
Neustradamus
"After a verification on xmpp.org, I found that the list has been changed, in the past when I managed the list, it will be more important. Psi and Psi+ have not in list, why? https://xmpp.org/software/clients.html http://psi-im.org/ + http://psi-plus.com/ Really strange for historical XMPP clients Metronome is not listed too on https://xmpp.org/software/servers.html https://metronome.im/ It was before ;)"
-
moparisthebest
Neustradamus: they need renewed annually or get removed automatically
-
Neustradamus
moparisthebest thanks for your reply! it is strange