Tobias, how/where did you learn about those two I-Ds?
zinidhas left
zinidhas joined
Dave Cridlandhas left
edhelashas left
edhelashas joined
ralphmhas joined
stefandxmhas joined
ralphmhas joined
lskdjfhas joined
intosihas joined
danielhas left
andyhas left
nycohas left
vanitasvitaehas left
vanitasvitaehas joined
intosihas left
ralphmhas joined
Kevhas left
Tobias
The Twitter realms
Tobias
Will see if I get around reading them on the 🚆
goffihas joined
vanitasvitaehas left
Dave Cridlandhas left
Flow
Tobias, kk :)
mimi89999has joined
SouLhas joined
vanitasvitaehas joined
stefandxmhas left
stefandxmhas joined
nycohas left
danielhas left
danielhas joined
andyhas joined
andyhas left
andyhas joined
Dave Cridlandhas joined
jubalhhas joined
mimi89999has joined
zinid
Failed outbound s2s EXTERNAL authentication zinid.ru -> jabber.org (208.68.163.218): Authentication failed: Peer provided no SASL mechanisms; most likely it doesn't accept our certificate
zinid
does anybody know when SASL EXTERNAL will be fixed on jabber.org?
andyhas left
andyhas joined
andyhas left
andyhas joined
mimi89999has left
intosihas joined
mimi89999has left
moparisthebesthas joined
Dave Cridlandhas left
moparisthebesthas joined
lskdjfhas joined
valohas joined
Dave Cridlandhas left
Dave Cridlandhas left
ralphmhas joined
Dave Cridlandhas joined
valohas joined
intosihas left
uchas joined
Dave Cridlandhas left
Tobias
zinid, yeah...DNS will be fixed.
Tobias
zinid, currently a lot people are busy doing FOSDEM things though
zinid
I don't think this is DNS problem
zinid
this is a problem in certificate verification
uchas joined
Tobias
oh
winfriedhas joined
winfriedhas joined
zinid
jabber.org's server doesn't accept LE certificates for example
Tobias
Flow, https://tools.ietf.org/html/draft-omara-mls-architecture-00#section-2.2 sounds tricky to do in a federated world, unless the "Authentication Service" can federate with others
Tobias
zinid, i'm using LE on my server and it can talk to jdev, so it supports them but there seem to be issues
Dave Cridlandhas left
valohas joined
Dave Cridlandhas left
zinid
Tobias, that's because it authenticate your server via dialback
danielhas left
Tobias
could be
zinid
but not every server is running dialback module, and more server will stop using it in the future✎
zinid
but not every server is running dialback module, and more servers will stop using it in the future ✏
marchas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
blablahas joined
andyhas left
uchas joined
Dave Cridlandhas left
uchas joined
valohas joined
Dave Cridlandhas joined
moparisthebesthas joined
intosihas joined
uchas joined
moparisthebesthas joined
Dave Cridlandhas left
nycohas left
vanitasvitaehas left
danielhas left
vanitasvitaehas joined
Tobiashas joined
Dave Cridlandhas left
valohas left
valohas joined
mimi89999has left
danielhas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
mimi89999has left
tuxhas left
intosihas left
Dave Cridlandhas left
Dave Cridlandhas joined
danielhas left
valohas joined
Holgerhas left
SaltyBones
Tobias: so if the authentication service is trusted this is not e2e and thus not like omemo/otr, right?
Tobias
that's the question
intosihas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
valohas joined
valohas left
valohas joined
intosihas left
intosihas joined
remkohas joined
Flow
Tobias, not sure if it is tricky in a federated system, but if you don't have a central authentication authority and can't cryptographically bind your identity with your key, your only option is probably something like fingerprint verification and/or TOFU
Holgerhas left
andyhas joined
Dave Cridlandhas left
Tobias
right, in the end there are still people who want end to end verification when they meet
remkohas left
Guushas joined
SouLhas joined
SouLhas joined
winfriedhas joined
Tobias
"By definition, the AS is invested with a large amount of trust. A
malicious AS can impersonate - or allow an attacker to impersonate -
any user of the system. This risk can be mitigated by publishing the
binding between identities and keys in a public log such as Key
Transparency (KT) [KeyTransparency]."
Tobias
Flow, they just bolt heavy KT on it and be done with it
Tobias
wonder how that scales, these KT logs become quite large
danielhas left
Dave Cridlandhas joined
SaltyBones
Tobias, have you found the corresponding mailing list discussion already?
vanitasvitaehas left
vanitasvitaehas joined
danielhas joined
Tobias
there doesn't ssem to be one, currently it's just a personal draft
SaltyBones
Yeah, I can't find anything either.
Tobias
Flow, also https://tools.ietf.org/html/draft-omara-mls-architecture-00#section-3.1.6 :) "should be able to interoperate"
Dave Cridlandhas left
Dave Cridlandhas joined
lovetoxhas left
Tobias
at least not a MAY :)
intosihas left
vanitasvitaehas left
vanitasvitaehas joined
SaltyBones
Okay, from what I can find they don't even state how this is supposed to work so one can check.
SaltyBones
And the reference to the protocol has no link. :p
intosihas joined
Holgerhas left
Tobias
Federated authentication is tricky
Dave Cridlandhas left
Dave Cridlandhas joined
moparisthebesthas joined
Dave Cridlandhas left
Dave Cridlandhas joined
SaltyBones
Is that this: https://medium.com/netflix-techblog/message-security-layer-a-modern-take-on-securing-communication-f16964b79642 ?
SaltyBones
Tobias, but for proper e2e you need e2e verification anyway...
SaltyBones
You can get away without it if you have decent ratcheting, I suppose.
Tobias
I did a federated authentication thing for iot. But there I hard linked the crypto to the network layer (IPv6 address)
moparisthebesthas joined
Tobias
That's not directly possible with free choice DNS names so we would need a different system for XMPP
Dave Cridlandhas left
Dave Cridlandhas joined
Holgerhas left
zinidhas left
SaltyBones
"hard linked"?
SaltyBones
So if a device is compromised you throw it away because the key cannot be changed?
SaltyBones
(Seems to be one of the few cases where this might not be problem.)
Tobias
If you change the key you change the address
Dave Cridlandhas left
SaltyBones
Tobias, I axed: https://mailarchive.ietf.org/arch/msg/cfrg/KN9-Dy26tBGMx4YkzY98ZDkpRTg