-
Flow
Tobias, how/where did you learn about those two I-Ds?
-
Tobias
The Twitter realms
-
Tobias
Will see if I get around reading them on the 🚆
-
Flow
Tobias, kk :)
-
zinid
Failed outbound s2s EXTERNAL authentication zinid.ru -> jabber.org (208.68.163.218): Authentication failed: Peer provided no SASL mechanisms; most likely it doesn't accept our certificate
-
zinid
does anybody know when SASL EXTERNAL will be fixed on jabber.org?
-
Tobias
zinid, yeah...DNS will be fixed.
-
Tobias
zinid, currently a lot people are busy doing FOSDEM things though
-
zinid
I don't think this is DNS problem
-
zinid
this is a problem in certificate verification
-
Tobias
oh
-
zinid
jabber.org's server doesn't accept LE certificates for example
-
Tobias
Flow, https://tools.ietf.org/html/draft-omara-mls-architecture-00#section-2.2 sounds tricky to do in a federated world, unless the "Authentication Service" can federate with others
-
Tobias
zinid, i'm using LE on my server and it can talk to jdev, so it supports them but there seem to be issues
-
zinid
Tobias, that's because it authenticate your server via dialback
-
Tobias
could be
-
zinid
but not every server is running dialback module, and more server will stop using it in the future✎ -
zinid
but not every server is running dialback module, and more servers will stop using it in the future ✏
-
SaltyBones
Tobias: so if the authentication service is trusted this is not e2e and thus not like omemo/otr, right?
-
Tobias
that's the question
-
Flow
Tobias, not sure if it is tricky in a federated system, but if you don't have a central authentication authority and can't cryptographically bind your identity with your key, your only option is probably something like fingerprint verification and/or TOFU
-
Tobias
right, in the end there are still people who want end to end verification when they meet
-
Tobias
"By definition, the AS is invested with a large amount of trust. A malicious AS can impersonate - or allow an attacker to impersonate - any user of the system. This risk can be mitigated by publishing the binding between identities and keys in a public log such as Key Transparency (KT) [KeyTransparency]."
-
Tobias
Flow, they just bolt heavy KT on it and be done with it
-
Tobias
wonder how that scales, these KT logs become quite large
-
SaltyBones
Tobias, have you found the corresponding mailing list discussion already?
-
Tobias
there doesn't ssem to be one, currently it's just a personal draft
-
SaltyBones
Yeah, I can't find anything either.
-
Tobias
Flow, also https://tools.ietf.org/html/draft-omara-mls-architecture-00#section-3.1.6 :) "should be able to interoperate"
-
Tobias
at least not a MAY :)
-
SaltyBones
Okay, from what I can find they don't even state how this is supposed to work so one can check.
-
SaltyBones
And the reference to the protocol has no link. :p
-
Tobias
Federated authentication is tricky
-
SaltyBones
Is that this: https://medium.com/netflix-techblog/message-security-layer-a-modern-take-on-securing-communication-f16964b79642 ?
-
SaltyBones
Tobias, but for proper e2e you need e2e verification anyway...
-
SaltyBones
You can get away without it if you have decent ratcheting, I suppose.
-
Tobias
I did a federated authentication thing for iot. But there I hard linked the crypto to the network layer (IPv6 address)
-
Tobias
That's not directly possible with free choice DNS names so we would need a different system for XMPP
-
SaltyBones
"hard linked"?
-
SaltyBones
So if a device is compromised you throw it away because the key cannot be changed?
-
SaltyBones
(Seems to be one of the few cases where this might not be problem.)
-
Tobias
If you change the key you change the address
-
SaltyBones
Tobias, I axed: https://mailarchive.ietf.org/arch/msg/cfrg/KN9-Dy26tBGMx4YkzY98ZDkpRTg
-
Tobias
I linked to proto earlier. See history
-
Tobias
https://datatracker.ietf.org/doc/draft-barnes-mls-protocol/
-
SaltyBones
Oh, cool, I'll add that!
-
Tobias
Don't know how future proof that is. It's not mentioning block chain at all
-
SaltyBones
-_-
-
SaltyBones
Tobias, https://twitter.com/paul_pearce/status/959138611617673216
-
Tobias
😀
-
Ge0rG
AES CBC is literally a block chain.
-
Zash
!
-
Zash
Is "nano" still a cool word?
-
Ge0rG
Zash: sorry, nope
-
Zash
"nanoblockchain"
-
Zash
"microblockchain" then?
-
Zash
pico?
-
Ge0rG
"nano" was a thing when I wen to school. Which is now almost 20 years ago
-
Zash
I was in school 20 years ago too
-
Ge0rG
Zash: I propose "eco" or "bio" because it comes without PoW
-
waqas
Yeah, enough time has passed to move to pico now
-
Zash
PicoBlockChain - PBC
-
waqas
Ge0rG: Eco has been around for too long too
-
waqas
I haven't head of Bio that much in tech however… XEP-xxxx: Bio Chains
-
Zash
Hyperblockchains?
-
MattJ
nano is a cool word, I use it all the time
-
Zash
Something something hypercube routing
-
pep.
Noob question, is there a way to never send the plain passwd to the server and only do scram, from account creation to the end. (Thinking about ibr)
-
Ge0rG
Hyper cube, wasn't that the movie full of deadly traps?
-
Ge0rG
pep.: you need to send the password during ibr
-
MattJ
pep., no
-
Zash
Wasn't there some draft/protoxep on uploading SCRAM stuff?
-
MattJ
oh?
-
Zash
Bunneh: xep scram
-
Bunneh
Zash: Sorry, I couldn't find a match
-
pep.
Zash: would be nice
-
pep.
Also, scram for the web when
-
Zash
Hah, good luck
-
Zash
Re the talk of device / client registration that was mentioned on the summit
-
Zash
In't that something like the model of OAuth, where instead of the user signing into their account, they authorize the clients to access their account.
-
Zash
In that model, password login don't as much sense
-
Ge0rG
I want an Auth mechanism called SCUMM.
-
moparisthebest
What like oauth with Facebook?