moparisthebestI haven't read exactly but last I had heard that was out
Guushas left
Guushas left
jerehas left
jerehas joined
jerehas left
matlaghas left
ibikkhas joined
moparisthebesthas left
jerehas joined
matlaghas joined
Tobiashas joined
lskdjfhas joined
jerehas left
tahas joined
j.rhas joined
j.rhas joined
j.rhas left
j.rhas joined
alexishas left
alexishas joined
jerehas joined
mimi89999has left
mimi89999has left
Tobiashas joined
mimi89999has joined
alexishas left
alexishas joined
jerehas left
jerehas joined
Lancehas left
Neustradamushas joined
j.rhas joined
goffihas joined
jonaswhas joined
Tobiashas joined
Nekithas left
jerehas joined
matlaghas left
Guushas joined
Guushas left
j.rhas joined
Guushas left
Guushas left
tim@boese-ban.dehas joined
lskdjfhas joined
SamWhitedhas left
Tobiashas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
la|r|mahas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
moparisthebesthas joined
Seve/SouLhas joined
j.rhas joined
danielhas left
danielhas joined
moparisthebesthas joined
ralphmhas left
ralphmhas joined
Guushas left
mimi89999has joined
moparisthebesthas joined
alexishas left
alexishas joined
danielhas left
Zashhas left
Guushas left
alexishas left
alexishas joined
Williams Whas joined
Guushas left
danielhas joined
Williams Whas left
Williams Whas joined
Yagizahas joined
Williams Whas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Tobiashas joined
Williams W?
Williams Whello
Williams Whas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Williams W?
Williams W?
Guushas left
la|r|mahas joined
Yagizahas left
lskdjfhas joined
flowWilliams W, hi
Williams Whas left
Williams Whas joined
Williams W?
Williams Whas left
Andrew Nenakhovhas left
Williams Whas joined
jubalhhas joined
alexishas left
Williams Whas left
Guushas left
alexishas joined
Yagizahas joined
danielhas left
Guushas left
alexishas left
alexishas joined
Valerianhas joined
alexishas left
Andrew Nenakhovhas joined
alexishas joined
moparisthebesthas joined
moparisthebesthas joined
xnyhpshas joined
Valerianhas left
Valerianhas joined
alexishas left
alexishas joined
jubalhhas left
rionhas joined
alexishas left
alexishas joined
Tobiashas joined
Steve Killehas left
danielhas joined
Steve Killehas left
ThibGhas left
ThibGhas joined
Steve Killehas joined
Marandahas joined
winfriedhas joined
winfriedhas joined
Valerianhas left
Valerianhas joined
Marandahas joined
Yagizahas left
Valerianhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
vanitasvitaehas left
Yagizahas joined
vanitasvitaehas joined
vanitasvitaehas left
Williams Whas joined
vanitasvitaehas joined
Williams Whas left
SaltyBoneshas left
Williams Whas joined
Williams Whas left
Williams Whas joined
Williams Whas left
Valerianhas joined
Williams Whas joined
Williams Whas left
danielhas left
danielhas joined
Guushas left
alexishas left
alexishas joined
alexishas left
alexishas joined
jubalhhas joined
nycohas left
Yagizahas left
Williams Whas joined
Williams Whas left
alexishas joined
Dave Cridlandhas left
Guushas left
Yagizahas joined
alexishas left
alexishas joined
Zashhas left
Alexhas joined
jubalhhas left
jubalhhas joined
jubalhhas left
moparisthebesthas joined
moparisthebesthas joined
alexishas left
alexishas joined
xnyhpshas joined
Zashhas left
Alexhas left
Alexhas joined
SaltyBoneshas left
Dave Cridlandhas left
marmistrzhas joined
ThibGhas left
ThibGhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
marmistrzhas joined
Dave Cridlandhas left
waqashas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas left
xnyhpshas joined
Dave Cridlandhas left
moparisthebesthas joined
sezuanhas left
moparisthebesthas joined
SaltyBoneshas left
Dave Cridlandhas left
vanitasvitaehas left
Guushas left
Guushas left
goffihas left
Guushas left
Guushas left
goffihas joined
Guushas left
Guushas left
Guushas left
Guushas left
Guushas left
vanitasvitaehas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas joined
jubalhhas joined
cookiehas joined
pep.GDPR thing in 10min
winfried(y)
jubalhhas left
Ge0rGwinfried: do you happen to be using an old Gajim version?
jonasw.
Williams Whas joined
winfriedGe0rG: nope, Psi+
jonaswcan we discuss the time frame for this meeting real quick?
winfriedbecause of my (y)
jonaswI allocated an hour, would be happy with less too, more would be an issue.
Ge0rGyeah, we should attemt to get through this quickly, I'm 2hr over the time budget already.
winfriedgood, I will aim for a close at 13:15 at max
winfried(CEST)
Williams W```
Dave Cridlandhas left
Williams W我想知道一个问题,tor加密下这样的对话被破解的几率有没有%0.1?
juliushas joined
winfriedpep.: are you there?
jonasw.
pep.!
winfriednice aditions from peter btw
jonaswyeah
winfriedI will try to setup a wiki page today
winfried(beside my other work)
pep.I'll continue with the minutes
jonaswpep., will you be taking minutes again? :)
jonaswthanks :)
winfriedgreat!
Nekithas joined
winfriedthink it is best to discuss federation right away now
jonaswok
pep.Q1)
1. What consequences does the GDPR has for the Jabber network?
2. .. Jabber server operators?
3. .. what can/should do the XSF with that?
Q2) What consequences does the GDPR has for the XSF running Jabber server?
Q3) What consequences does the GDPR has for the work processes of the XSF itself (membership, voting, wiki etc)?
Ge0rGI think we didn't cover d-f of Q1.1 yet?
pep.d-f?
Ge0rGpep.: from yesterday's list of aspects
Dave Cridlandhas left
KevI'd suggest (and I don't really want to get involved in this) that Q2 and Q3 are much more urgently important for the XSF than Q1.
pep.Both of them depend on Q1
pep.Well, Q2 at lesat
winfriedyep
pep.Well, Q2 at least
goffihas left
winfriedGe0rG: what is on your list about Q1.1?
Ge0rGa is it in the GDPR jurisdiction, what data is
b what data is processed
c what processing is done
d what ground does the processing have
e possible consequences
Ge0rGMaybe there was no f.
pep.no f
jonaswno f
winfriedwe didn't fully cover grounds for c2s, true
Ge0rGI'd like to cover the grounds before moving on with the other Qs
winfriedGe0rG: good
Ge0rGthe potential consequences are vague at best anyway.
Ge0rGvaguely scary.
winfriedGe0rG: Yes, it is the GDPR ;-)
Ge0rGI'd argue that if the user sends content via our server, they are giving implicit consent for us to process it.
jonaswGe0rG, I’m so sure this is false.
jonaswthe user could expect e.g. the server to forward it, but not to store it in MAM
Ge0rGjonasw: I'd argue that either Art 6 §1 or §2 apply.
jonaswor store it for less time
moparisthebesthas joined
Ge0rGno, way. §1 a or b.
jonaswconsent needs to be explicit
jonasw(b) may very well apply
winfriedI would vote for 6.1b
jonaswbut that is overridden by 9.1
jonaswand after Peters comments I think that 9.1 very much applies to messages.
Ge0rGjonasw: I'm not sure about that.
Ge0rGmaybe this is actually something to ask a lawyer about
jonaswokay, so maybe let’s write that down as something somebody should definitely consult a lawyer on.
jonaswha
pep.hmm, I don't see how 9.1 fits in that. I'll add a TODO
Ge0rGLQ1: does 9.1 automatically apply to all (not e2ee encrypted) user-sent content, or only if we are analyzing it for profiling/other purposes?
jonaswpep., in my mind, most of the GDPR handles general personal data, and 9.1 adds overrides for a certain type of personal data and prohibits all use except that outlined in 9.2
winfriedlook at 9.2e...
jonaswwinfried, I’d argue that sending a message to another user is "not making it public"
winfriedhmmm, but the xmpp server(operator) is third party...
jonaswwinfried, I’d argue that sending a message to another user is not "making it public"
winfriedpep., can you note this as subject for further consulting?
pep.hmm, let me see if I get this
pep.what is "this" in your sentence
jonaswLQ1?
pep.Ah, yes it's aded already
pep.Ah, yes it's added already
Ge0rGjonasw: lawyer-question
pep.This is for Q1.1.a then?
jonaswGe0rG, I am aware.
jonaswGe0rG, I made a suggestion for what winfried might be talking about :)
pep.:)
Ge0rGjonasw: ah, that wasn't clear to me. sorry
pep.Next?
winfriedOk: art 6.1 is explicit permission, art 6.2 is implicit permission. Article 9.1 overrides article 6 and sets its grounds in article 9.2. So if the messages are of the categories in 9.1, then we must go for explicit permission from 9.2a, otherwise we can do 6.2
Ge0rGwe need to cover d) for all data types
winfriedGe0rG: exact
Ge0rGserver logs are the easiest thing.
Ge0rGwe have those under R49
winfriedso the question for a lawyer is: are message bodies 9.1 or not?
jonaswwinfried, yes.
winfriedGe0rG: yes, agree with logs
Ge0rGif we consider the usage of an XMPP server as a contract between the user and the server operator = controller, 6.1b should apply to most things
Alexhas left
jonasw... except that it should be clearly stated what happens, right?
Ge0rGcredentials are required, IP addresses might be argued under R49, timestamps / presence timestamps are complicated.
jonaswpresence timestamps shouldn’t be 9.1 at least
Ge0rGpresence timestamps are probably covered by user's consent when they accept a subscription
jonaswI have the feeling you’re lax with consent.
Alexhas joined
jonaswmaybe it’s just me, but I think consent can’t be established without the user being informed. so unless we inform the user actively what "add a contact" means regarding metadata, we can’t talk about consent here.
pep.I also feel that needs to be specified in EULA of some sort
Ge0rGjonasw:
> any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
pep.Ge0rG, that means they understand the protocol though, right?
jonasw> informed
Ge0rGSo XMPP clients need to show a warning in the add-contact dialog, that metadata will be published to their new contact?
Dave Cridlandhas left
jonaswpossibly
winfriedIsn't that for permission according to 6.1?
pep.I would say this needs to be specified when signing in for an account instead?
jonaswpep., that would work too
jonaswprobably better
jonaswbecause this takes the load off clients
pep.yes
jonasw(aside from that they need to support the EULA XEPρ
jonasw(aside from that they need to support the EULA XEP)
pep.yes, that still needs figuring out
winfriedI think 13.1 applies here
Ge0rGwinfried: is 13.1 in addition to asking for consent?
nycohas left
Ge0rGor is it possible to have a published data collection policy and assume implicit consent from users?
jonasw13.1 feels weird
winfriedthe last
Dave Cridlandhas left
Valerianhas left
Valerianhas joined
pep.Ge0rG, [x] I have read the conditions and agree
jonaswI think i need an epub of that thing and read it on the trains
winfriedbtw: all of 13 is applicable
winfried13.4 is also interesting ;-)
Valerianhas left
jonaswwinfried, right
pep.So that means EULA should do
jonaswI think sot oo
winfriedIF we can do it under 6.2
Ge0rGI'd argue that we don't need explicit consent for 6.2, and if we ask for explicit consent, we can tell the user not to upload 9.1 relevant data ;)
jonaswGe0rG, "so, hey, we’ve got an IM system here. but don’t use it for private communications."
Ge0rGjonasw: yes
jonaswgreat…
Ge0rGjonasw: this is clearly legalese blame shifting.
pep.Ge0rG, I feel 9.1 applies only if we do more than storage on the data, but yeah that's LQ1, we'll see
jonaswGe0rG, but if we ask for consent, why not ask for consent for 9.1 data, too?
jonaswpep., storage IS processing
pep.I know
winfriedI would say: if we go for consent, we should go for consent as in 9.2, so 9.1 is covered
pep.That's why I specified
Dave Cridlandhas left
jonaswwinfried, +1
pep.Ah, hmm
Dave Cridlandhas left
Dave Cridlandhas joined
pep.Ok so 9.1 is meh, and we should probably cover ourselves, ask for consent as well
jonaswyes
jonaswbut also the risk things Peter mentioned
Dave Cridlandhas left
Dave Cridlandhas joined
pep.let me read that, one sec
jonaswspecifically:
> It could be argued that storing very sensitive personal information, albeit for a short time, unencrypted, visible to anyone with access to the backend server (and perhaps more), does not constitute proportional data protection measure, knowing how sensitive the information can be in some cases. It could therefore also be argued, that the processing “reveals” this information to unauthorized persons, by the way it is implemented. It could therefore be argued, that such processing is contrary to what is required by article 9.
Dave Cridlandhas left
Dave Cridlandhas joined
jonaswhis suggestions boil down to exactly what Ge0rG said
winfriedjonasw: yes, but at how many servers is it easy for the operator to read MAM archives or view their rosters and bookmarks?
pep.Also, in any case, the hosting provider will have access to the data
alexishas joined
jonaswyes, but that surely is covered somehow.
jonaswprobably something about "processor"
Ge0rGWe need to do encryption!11
jonaswGe0rG, yes, that seems to be the safest course of action
winfriedjonasw: yes, controller / processor thing
jonaswe2ee everywhere
Dave Cridlandhas left
pep.Ge0rG, even with full-drive encryption, as long as the provider has access to the virtualization software..
jonaswpep., yes.
winfriedYou can do technical protection and legal protection
Ge0rGpep.: yes, but the checkmark is crossed.
pep.hmm, I want to believe you
Ge0rGRegulatory Compliance is a complicated thing.
Dave Cridlandhas left
jonaswi wanna burn something now
winfriedjonasw: my 320p bible on the GDPR?
Ge0rGokay, we are not moving forward.
pep.Ok so, where are we for d) ?
pep.With this big passage about 9.1 and consent
winfriedwe have LQ1
Ge0rGpep.: somewhere between 6.1a, 6.1b and 9.2
winfriedand the question of privacy by design of storage at the server
Ge0rGI'll ask my local GDPR expert as well, and maybe Peter can shed some light as well
Ge0rGwinfried: that's a technical question though.
pep.Ge0rG, 9.2a specifically?
Ge0rGpep.: "explicit consent"
pep.yes
winfriedGe0rG: but it may be a consequence that technical measure need to be taken :-(
jonaswI’m pretty sure that we’ll need to take technical measures.
Ge0rGwe need to take technical measures anyway.
Ge0rGeven for 6.1a/b
winfriedGe0rG: depending on the risk assesment, but looking at ubbers practices, yes...
Ge0rGwinfried: the exact amount of technical measures is subject to discussion.
winfriedGe0rG: yes
Ge0rGwinfried: I think we can't cover that here.
Ge0rGSo I suggest we skip over "consequences" and follow to the next questions
Ge0rGOr maybe we look at federation now
winfriedGe0rG: not here, not now.
winfriedGe0rG: we have got 20 minutes left, and need some time for discussing next steps/next appointments
winfriedso, lets say 10 minutes federation?
alexishas left
Ge0rGwinfried: +1
alexishas joined
Ge0rGwe need to differentiate whether the other server is under GDPR as well or not.
jonaswhas left
winfriedGe0rG: yes and wether the server is making secondary use of the data or not
pep.I'm sure it is, but how
Ge0rGBy sending a message to somebody, a user clearly wants us to deliver that message to somebody.
jonaswI somehow managed to kill my poezio
jonaswGe0rG, aren’t all servers under GPDR potentially?
pep.jonasw, I'm sure I can do that blindfolded
jonaswGe0rG, because they might receive data from entities from the EU
jonasw9.1 data even (if messages fall in that category)
Dave Cridlandhas left
Ge0rGSo when we are the sending server, we just follow what the user asked for and we don't need to ensure the receiving server is GDPR compliant.
Ge0rGjonasw: they can block federation with the EU ;)
Ge0rGmy point is: our user gave us that message with the explicit request to deliver it to some other entity.
Ge0rGthat's what we do (plus local archive storage), and that's where our responsibility ends
pep.Ge0rG, delivery is a thing, processing on the other side is another. Maybe we should look into transfer regulations?
jonaswGe0rG, but does the user also consent to have their message stored by the other entity?
lumihas joined
winfriedI think the line of reasoning is:
winfried- transfer to an other controller is one possible processings to
winfried- it can be covered by the same concent as the other processings (LQ1)
Ge0rGjonasw: I think that the receiving user giving consent is sufficient.
jonaswGe0rG, I’d like to have that settled properly, though
winfried- EXCEPT when the other server is making secondary use of the data (then at least 6.2 can't apply anymore)
Ge0rGjonasw: the sender indicated that they want the message delivered
jonaswGe0rG, given that sharing phone contact info wiht WA is illegal in DE, I imagine that things might be worse with 9.1 data being stored without "proportional means of protection"
Dave Cridlandhas left
winfriedjonasw: yes, that is the other issue: jurisdiction
jonaswGe0rG, in the WA case, the victim gave their phone number to the offender, which forwarded it to WA.
jonaswI think this is a very similar case.
jonaswbut with more sensitive data
jonaswbut IANAL
Ge0rGjonasw: I don't think it's the same.
jonaswwhy not?
pep.I think we need LQ2 here
Dave Cridlandhas left
Ge0rGjonasw: in this case, the victim sends the content to the offender via the evil server.
Ge0rGI wonder how SMS/MMS processing is legally protected
jonaswGe0rG, I had the same thought.
jonaswbut probably that’s not an issue because they don’t store data for that long
jonaswonly as long as needed to deliver
winfriedGe0rG:SMS/MMS seperate telecom laws
jonaswwhich is reasonable or something
pep.jonasw, sure but then processing is done on the other side
jonaswGe0rG, email would be more interesting
Ge0rGwinfried: how are we different from them? ;)
alexishas left
Ge0rGokay, I don't want to be required to do LE
alexishas joined
pep.I agree with Ge0rG it's pretty similar
Ge0rGemail is surely very similar, but I can't find any info on email GDPR short of email marketing
pep.Can we try and ask big providers see how they deal with it
Dave Cridlandhas left
jonaswcould probably read googles new privacy policy?
pep.Anybody knows one somewhat open to questions/collaboration?
pep.Right
winfriedI feel we need to structure this part of the discussen better next time... but don't know how yet
pep.Basically lots of thing here will rely on user consent
pep.But to what extent can we use it we don't seem to agree
pep.Or who needs to ask for it
winfriedbut LQ2 may be: can (implicit) consent also apply to transfer to other controller by addres
andyhas joined
winfried(needs a bit better formulation)
Ge0rGI think that we can apply 6.1f ("processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party") for federation
pep.winfried, what do you mean with "by address"?
Ge0rGthe third party is the remote user, and their interest is to be able to communicate
pep.jonasw, what article was peter referring to again? I cna't seem to find it ("proportional means of protection")
pep.Ah, he says article 9, and "revealing"
Alexhas joined
waqashas joined
pep.hmm, ok that's why LQ1 then.
pep.That doesn't explain the part of our discussion about encryption
LNJhas left
Alexhas left
Guushas left
jjrhhas left
LNJhas joined
jjrhhas left
jjrhhas left
Ge0rGpep.: encryption is one of the mechanisms mandated to protect user data
pep.I guess that's art 35
Dave Cridlandhas left
vanitasvitaehas left
jubalhhas joined
pep.https://mastodon.social/@Gargron/99730137003463631 they don't seem worried
pep.Anybody what goes into that audit log? http://dougbelshaw.com/blog/2018/01/31/social-network/
jubalhhas left
pep.(grep GDPR)
Dave Cridlandhas left
LNJhas left
moparisthebestI wonder how far a non-EU citizen/service is required to go to ensure non-EU people use their service?
moparisthebestis the GDPR only enforceable if an EU citizen sues you?
jonaswmoparisthebest, I wish I knew at least that
pep.anybody knows*
moparisthebestif so, then everyone can just put up notices like "EU citizens are forbidden from using this service"
Dave Cridlandhas left
moparisthebestbecause they wouldn't have standing to sue you about GDPR stuff in court, because they violated your terms?
moparisthebestat least, I think
jonaswI have no idea
pep.I have a feeling I should prepend IANAL to any comment I make during our sessions
jonaswpep., easy. /nick pep.> IANAL:
pep.:D
moparisthebestyea until we get a single lawyer in here ever, maybe a server plugin should do it automatically?
jonasw> IANAL:has joined
pep.jonasw, will do next time
jonaswaww
Dave Cridlandhas left
jonaswthe MUC won’t let you
pep.> IANAL:has joined
jonaswmoparisthebest, yeah, no
pep.pff
jonaswthat might be a solution for you USians
jonaswfor certain definitions of "solution"
jonaswor, wait, you aren’t talking about the "no EU citizens" thing anymore?
Ge0rGmoparisthebest: I think it's about targeting. If you have a european domain, support languages spoken here, etc.
moparisthebestI mean't a server plugin should prepend IANAL to what everyone says :)
jonaswGe0rG, "support languages spoken here". english?
moparisthebestwhat languages *aren't* spoken in EU ?
moparisthebestI feel like that'd be the shorter list
Ge0rG:P
pep.:D
Dave Cridlandhas left
pep.You could state "Here we speak only en_US"
Dave Cridlandhas left
moparisthebestor maybe you limit the character set to ASCII
moparisthebestthat would de-facto ban most of the EU
Dave Cridlandhas left
Ge0rGmoparisthebest: switch to IBM EBCDIC
jonaswto ban the whole world?
Ge0rGjonasw: there is no world beyond the US of A
jonaswI forogt
Ge0rGI, for one, am proud to be an EU citizen, and to finally have legal remediation against Silicon Valley sucking up and reselling all my private data.
moparisthebestexcept turns out it's the same kind of legal protection you had before
moparisthebestthat is, to just not use the services
alexishas left
alexishas joined
Ge0rGmoparisthebest: I'm not using Facebook. I'm not using WhatsApp. And still they have data about me.
jonaswGe0rG, +1
moparisthebestnot data you didn't share somehow, presumably
jonaswmoparisthebest, but did I share it intentionally?
moparisthebestit's the #1 rule of the internet, put it on the internet, it's there forever
jonaswmoparisthebest, I didn’t put my phone number on the internet.
jonaswyet, whatsapp has it most likely
moparisthebestno laws are going to change that
Ge0rGmoparisthebest: oh yes, our laws will change that.
moparisthebestyea the law changes things, now you can't use open federated services
moparisthebestgood work
Ge0rGmoparisthebest: but it depends on what you mean with "put it on the internet" - make it public? use some internet service? contact your friends?
Ge0rGBTW, that the BigCorps are required to provide all the data they store about you is also based on EU regulations
alexishas left
alexishas joined
LNJhas joined
pep.Ok so I have https://cryptpad.fr/code/#/1/edit/eitMC7lM6yOU4kFtNf1Nag/gvYO8K5YdRtKg-b7hNLd7mEz/ Ge0rG jonasw winfried, can you have a quick look
jonaswf*ck!
jonaswI hate that noscript b ug
alexishas left
jonaswpfew, I was in luck. but still
alexishas joined
Yagizahas joined
alexishas left
alexishas joined
LNJhas left
alexishas left
jonaswpep., looks good to me
pep.Most of what we talked about today goes into Q1.1d
Zashhas left
pep.There's this "Server logs: r49" line that's kind of sitting alone there, the rest is about consent :P
Dave Cridlandhas left
winfriedpep.: nice!
pep.jonasw, also I'd be inclined to say 9.1 only applies to "processing revealing [such information]", as peter suggests? But IANAL
jonaswpep., peter argues that processing which stores the data in plaintext may reveal it to operators
pep.Ah, in that sense
jonaswalso, I think the recital is clear that the *data* reveals the information, not the processing
pep.Well, so full-disk encryption is besides the point right?
jonaswthe legal text is ambiguous IMO
jonaswin both translations oddly enough
jonasw(it could be either the processing or the data which reveals info, in both en and de)
pep.Because operators will most likely always have access to this information, except in the e2ee case
jonaswpep., exactly.
pep.Even in the e2ee case really, it's still possible, as not many people actually checks
pep.That would be making significant effort though, for the operator, and could be caught as well
jonaswthat would require an additional action you normally wouldn’t do though
pep.Security goes as far as one is wiling to apply it (and even then..)
alexishas joined
pep.So I'm tempted to remove the full-disk encryption part in the minutes, and add a bit about e2ee
pep.(Since it was my misunderstanding)
Ge0rGpep.: "encryption" is just a control you "need" to checkmark.
jonaswI think tehre was talk about both
pep.Ge0rG, what encryption, where
pep.jonasw, yeah, right
Guushas left
Ge0rGpep.: a secure service will deploy a combination of disk encryption, stream encryption, user data encryption and e2ee
jonaswpep., in line 64, it was definitely about FDE
jonaswpep., maybe add a note about "ubiquitous E2EE would save us from 9.1"
pep.I wish
pep.Ge0rG, right
pep.jonasw, here, done
jonaswthanks
pep.Ok, sending that
Dave Cridlandhas left
jonaswthank you for that already :)
Dave Cridlandhas left
alexishas left
alexishas joined
pep.Wow, the mails take quite some time to arrive
KevIt takes a while for all the racial profiling the server needs to do before sending them out.
pep.I see
pep.Makes sense
juliushas left
Dave Cridlandhas left
jubalhhas joined
blablahas left
blablahas left
waqashas left
Guushas left
LNJhas joined
alexishas left
alexishas joined
jerehas left
jerehas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
alexishas left
alexishas joined
Dave Cridlandhas left
Guushas left
SamWhitedhas left
waqashas joined
jubalhhas joined
SamWhitedhas left
SamWhitedhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
lumihas joined
Dave Cridlandhas left
ThibGhas left
ThibGhas joined
moparisthebestis there a reason the members mailing list is not linked from here: https://xmpp.org/community/mailing-lists.html
jonaswmoparisthebest, possibly because it’s only for members
moparisthebestI was trying to give a link to the GDPR discussion to someone and had to manually construct it
jonaswI don’t think you can subcsribe as non-member.
moparisthebestjonasw, if that's true it's incorrectly configured to be public https://mail.jabber.org/pipermail/members/2018-March/thread.html
Dave Cridlandhas left
pep.https://mail.jabber.org/mailman/listinfo
jonaswmoparisthebest, maybe
moparisthebest(I clicked on 'standards' then changed 'standards' in the url to 'members')
jonaswiteam? (cc @ Kev, intosi) ^
pep.it's listed here
moparisthebestI personally don't see a reason for it to be private, I'd just like to see it listed next to the rest :)
KevWhat's the problem here? The list should be invite-only, public archives.
jonaswKev, then there’s no problem :)
moparisthebestexcept it's not listed on https://xmpp.org/community/mailing-lists.html
jonaswKev, except htat maybe it should be moderated-by-default and free to subscribe, if the archives are public anyways.
KevI see no benefit to that.
ludohas joined
jonaswKev, ease of use
jubalhhas left
KevIt's easy to use for members, and that's all that matters here.
Ge0rGI'm not even sure what the ML is *for*
jonaswKev, arguably, that discussion is interesting for non-members too.
Dave Cridlandhas left
Zashhas left
jonaswbut I don’t think that standards@ would be the right venue
jonaswwhat would be the most appropriate list then?
Ge0rGoperators probably
pep.Yeah I don't think either. Maybe _only_ operators, would be best
KevI'd have thought if this is an XSF activity, members is appropriate, with CC to operators anything that will interest them.
moparisthebestyea I was just linking other people for some feedback
moparisthebestand it was super hard to find a link that I assumed would be on the mailing lists page that I assumed would list all mailing lists :)
Guushas left
marmistrzhas joined
Dave Cridlandhas left
SaltyBoneshas left
marmistrzhas joined
Neustradamushas joined
j.rhas joined
Dave Cridlandhas left
Dave Cridlandhas left
NeustradamusKev, intosi: it will be nice to have a ML for jabber.org service and updates on https://www.jabber.org/notices.html about problems like previously
Dave Cridlandhas left
Neustradamushas left
Dave Cridlandhas left
Neustradamushas joined
Neustradamushttp://mail.jabber.org/mailman/listinfo/juser <-- not clear if it is for jabber.org service
Dave Cridlandhas left
Neustradamushas left
Neustradamushas joined
LNJhas left
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
LNJhas joined
SamWhitedhas joined
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
alexishas left
Dave Cridlandhas left
Dave Cridlandhas joined
Dave Cridlandhas left
Dave Cridlandhas left
davidhas joined
blablahas left
pep.has left
LNJhas left
Dave Cridlandhas left
LNJhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Guushas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
j.rhas joined
Dave Cridlandhas left
LNJhas left
Valerianhas left
SamWhitedIETF folks that also idle here: are you aware of any SASL mechanisms similar to SCRAM (active or in development) that use Argon2 instead of PBKDF.2? I was going to use Argon2 on some passwords since it's the current OWASP recommendation, but there's a chance I'll want to use the same credentials with an XMPP server later (though not in a way that requires wide support, so it doesn't matter if it's still in draft or something).
marchas left
Guushas left
sezuanhas left
SamWhitedI assume a quick search would have revealed it if it was already a thing, but I figured there might be an I-D which tend to be harder to find.
Dave Cridlandhas left
ZashNot sure if I qualify, but I'm pretty sure you can swap out PBKDF2 for some other equivalent construct.
Guushas left
Guushas left
Guushas left
Dave Cridlandhas left
danielhas left
Andrew Nenakhovhas left
SamWhitedIn SCRAM you mean? I think it allows you to swap out the hash used in the HMAC, but not the key derivation function. Let me double check, it would be nice if I was mistaken.
nycohas left
ZashI do believe that the general construct still makes sense with a different key derivation function.
SamWhitedOh yah, it does, but I'm hesitant to do something completely non-standard
SamWhitedjonasw: what and where are those XML files located?
SamWhited"What are those XML files and where are the located", that is. That sentence got away from me.
SamWhitedThey… *facepalm* I really can't type.
alexishas joined
Dave Cridlandhas left
alexishas left
alexishas joined
ZashYeah, where are those?
SamWhitedI only recently discovered that there actually is a big XML file with RFC information… the IETF has even worse search engine rankings and visibility problems than we do, I'm pretty convinced.
SamWhitedBut it's not detailed and doesn't include I-Ds, as far as I know.
SamWhitedooh that's a good idea, thanks. Although I don't think that lists any I-Ds that might be floating around out there; still, good starting place!
moparisthebesthey, ALPN ids are listed now https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
moparisthebestkind of a strange way to word the protocol, but I guess it's correct enough?
moparisthebestXMPP jabber:client namespace
Steve Killehas joined
moparisthebestXMPP jabber:server namespace
Tobiaswonder why some IDs are rather long and some others short
ZashSamWhited: There's http://www.ietf.org/download/id-index.txt but it's huuuuuuuuuuuuuuge
Dave Cridlandhas left
moparisthebestoh that's how it's listed in the XEP too, did I do that? hehe
pep.https://bpaste.net/show/138cf21c832d irccloud.com just updated their term apparently, some IRC web client. I feel this will be relevant to movim instance admins, edhelas
jerehas left
jerehas joined
Ge0rGThat's interesting, they claim to be a data processor.
pep.yeah I noticed as well
ludohas left
ludohas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
jubalhhas joined
Dave Cridlandhas left
lovetoxSyndace, how is your omemo lib writing going
Andrew Nenakhovhas joined
SaltyBoneshas left
Holgerhas left
alexishas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
alexishas left
Valerianhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
tuxhas joined
tuxhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
alexishas joined
winfriedhas left
Andrew Nenakhovhas joined
ibikkhas left
alexishas left
alexishas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
alexishas left
alexishas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
marchas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
alexishas left
alexishas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Dave Cridlandhas left
marchas left
marmistrzhas left
Dave Cridlandhas left
blablahas left
Dave Cridlandhas left
jubalhhas joined
Alexhas left
Syndacelovetox, I spent the last days trying to get a simple client up and running that echoes OMEMO messages, with partial success.
Debugging is extremely annoying as the OMEMO of the official clients is a mess.
I once accidantly published some wrong data to the pep node and the OMEMO plugin for Gajim completely died and remained unusable till now. Trying to send messages just fills my terminal with stack traces.
Conversations sends some weird empty message after the initial handshake. I thought I understood why it sends that message but then I found that Conversations 2.0 sends a different, even weirder message...
The small success: If my handmade client does the active handshake, the echoing works with Conversations as expected, so the crypto should be fine :)
I'm at the point where I'd probably need to dig into the code of conversations and gajim to understand the problem, but I really really really don't want to, got a lot of work atm.
But thank you for asking, I just remembered that my goal is to provide the crypto and not to provide a working client.
Tomorrow I'll clean up a last few things and release it, so you can try your luck with other clients :D
SyndaceNeustradamus: Hi! I'm fine, thanks :D
Ge0rGhas left
la|r|mahas left
Dave Cridlandhas left
lovetoxim the developer of the omemo plugin
lovetoxin gajim
lovetoxso if you need help add me lovetox@conversations.im
lovetoxalso if you release your work i can adapt it to gajim, and then you dont have to put work into the whole client and xmpp protocol stuff
pep.Syndace, delegate! :)
pep.less work for you
lovetoxyes, its really better you just release the work, and let client devs implement it
lovetoxafterwards you can use the client to debug encryption related stuff
lovetoxim offering to do this as soon as you release it
SyndaceOne question about the licensing stuff:
I already have MIT checked into the repo currently.
Now, I have to release GPL as we discussed recently.
If I just commit the new license, then someone can clone an earlier commit and get the earlier code including the MIT file.
Is that a problem?
SyndaceWow thank you!
Guushas left
j.rhas left
j.rhas joined
pep.hmm, I guess they can fork an ealier version of the work, though they would be liable? Maybe you can explain the reasons you're changing to GPL somewhere
peterIt's always dangerous to change licenses in midstream...
Guushas left
pep.git-filter-branch!
Lancehas left
marchas joined
LNJhas left
jonaswSamWhited, it was merely a convoluted way of saying "take the SCRAM rfc and do the same for argon2" sorry I got your hopes up (cc @ Zash)
Syndacepep.: Thing is, I'm not just "changing" the license because I want to but the first license was never the correct one and I could get sued if I don't publish as GPL.
git filter branch? Those dark areas of git that I try to avoid :D
LNJhas joined
jonaswSyndace, git filter-branch or something equivalent is your only way.
jonaswalternatively, you can squash the history
jonaswwhy are you bound to GPL though?
ZashAre you, really?
Dave Cridlandhas left
ZashProbably should take what us non-lawyers say with a truckload of salt
lovetoxSyndace, clone your repo somewhere for backup
lovetoxsquash everything into one inital commit before releasing
lovetoxupload finished
pep.squash is meh :/
SyndaceZash, I am bound to GPL. Until we define our own wireformat.
jonaswSyndace, what
jonaswsource for that?
Syndacejonasw, for what? That I'm bound to GPL?
Dave Cridlandhas left
jonaswyeah
SyndaceI guess I could create a fresh repo with just the newest commit and release that one
jonaswthat doesn’t make sense to me
lovetoxsomeone told him here
lovetoxbecause he looked into signal source for the wire format
Syndacejonasw, to be abled to talk to libsignal I needed to copy a few params from theit code
SyndaceI don't think there is any way that is not GPL
jonaswisn’t there a specification aside from that code?
Dave Cridlandhas left
SyndaceFor large parts, yes
jonaswanyways, heading out.
SyndaceBut the specification says for example: "Set this parametet to an application specific ASCII string"
marchas left
Dave Cridlandhas left
SyndaceWhich I had to copy from libsignal because it is not defined anywhere
SyndaceBut then again, it's no problem to switch to MIT once we define our own parameters
pep.Not really sure what's frightening about GPL tbh
Dave Cridlandhas left
ZashProbably a bit of FUD on account of Moxie & co being weird with reimplementation of signalprotocol
marchas joined
pep.I meant, why not just stick to GPL
Syndacepep.: GPL is fine for now but I personally don't like the philosophy to force open sourcers to use some license.
jonaswhas left
Yagizahas left
pep.Depends on your end goal
lovetoxpep., because not every client can ship gpl code
lovetoxthere is a huge discussion about this
lovetoxon the list
pep.lovetox, that can be distributed via another channel? You already have plugins for gajim for example
Zashpep.: I was on why GPL, not why not.
pep.But tbh if it were me I'd just put the client under GPL
lovetoxpoezio for example is not under GPL if i remember correctly
mathieuizlib indeed
lovetoxalso jitsi i think
pep.yeah but we also have plugins. There is no case for now for external plugins though, since all are commited in the source
lovetoxsmacks lib i think is also not
pep.But it would be doable
mathieuilovetox, it was gplv3 at the beginning though
lovetoxyeah of course, but if someone does the work and rewrites a whole lib from scratch
lovetoxwhy not work to the goal to make it with a good license
lovetoxthat lets every option open
Syndacelovetox: my thoughta
pep.good is definitely subjective here. It also lets the option for companies to just reuse it and use your work without giving anything back
pep.Or anybody really
SamWhitedThat seems perfectly fine… I don't really care if people give back to my work, I just want it to be as usable as possible.
pep.I do care
Lancehas joined
SyndaceI'll go with the beer license
SamWhitedI'd rather not force a choice on the majority of people who will give back and use my open source in a good way. If one or two people are bad actors that's unfortunate, but it's not worth hurting the large number of people who aren't already using the GPL just for the possibility that one person might do something bad.
Syndaceand make it copyleft
Guushas left
Guushas left
pep.SamWhited, I guess I see it the other way around. What would it cost you to release under GPL, and also have the one next to you release under GPL, etc. The main reason I see not wanting to use GPL is if you explicitely want to allow not giving back
SamWhitedWhy should I relicense my thing just because you want to use a different license? It seems arrogant of you to want me to change what I've already done just because you think something else is better.
lovetoxpep. you use it if you want that as many people as possible use it
pep.lovetox, usage is not restricted in any case
lovetoxyes it is if it means i have to publish my source
SamWhitedBut yes, I want my thing distributed as widely as possible, so I'm not going to put stupid restrictions on that. If someone abuses it, that's unfortunate, but most people won't.
lovetoxyou say its not restricted under X conditions
pep.lovetox, right sorry I was out
lovetoxsome people cant just live with these conditions so will not use it
pep.lovetox, I wouldn't go as far as that
SamWhitedAnd especially if it's a security thing then I definitely want it to be usable by proprietary closed source software. We're not going to get rid of it by using the GPL, but we can possibly make it more secure by not using the GPL.
pep.SamWhited, I'm not sure where you want to go with the security thing.
Kevhas joined
lovetoxit simple if you have higher goals
pep.If people want to use a library they can'T, then too bad for them?
pep.either they comply or they don't use it
lovetoxif my goal is government not spying on people because i think it makes a better world
SamWhitedExactly where I went; if someone is making a bunch of garbage IOT devices that are insecure, and I make a library that makes auth easy and they consider using it, I don't want them not to use it because I arrogantly claim that they have to release their source if they bundle my library.
lovetoxi couldnt care less if companys use my encryption and make money with it
lovetoxbecause my goal is still reached
SamWhitedWhat lovetox said; of course, that's a very specific niche goal, I'm just sick of people pretending that there's no downside or tradeoffs with the GPL.
SamWhitedThere are plenty of reasons not to use it.
lovetoxalso companys like google do this
pep.Ok, well we definitely don't have the same goals, I guess I got that
lovetoxthis is my opinion of course
lovetoxbut often they release under licenses that allow not to give back
lovetoxbecause if you use there stuff it gets spreaded
lovetoxand when everyone uses it you depend on google stuff suddenly
lovetoxthey profit in other ways from it
marmistrzhas left
pep.Note, I didn't say a word about me making profit
Guushas left
Guushas left
Guushas left
ThibGhas left
ThibGhas joined
ludohas joined
sezuanhas left
sezuanhas left
sezuanhas joined
j.rhas left
j.rhas joined
Dave Cridlandhas left
lskdjfhas left
j.rhas left
Guushas left
lskdjfhas joined
Ge0rGhas left
Dave Cridlandhas left
j.rhas joined
moparisthebestI think I'm the one that said that, and IANAL
moparisthebestbut I believe that if you copy even any tiny part from a GPL library, or possibly even look at it before implementing a replacement, it's a derivitive work that must be licenensed GPL, does that sound right?
tahas joined
moparisthebestbesides if API's are copyrightable I'm not sure anything matters anymore https://www.bloomberg.com/news/articles/2018-03-27/oracle-wins-revival-of-billion-dollar-case-against-google ...
XSF Discussion - 2018-03-27