XSF Discussion - 2018-09-24


  1. alexis has left

  2. alexis has joined

  3. Dave Cridland has left

  4. alexis has left

  5. jjrh has left

  6. jjrh has left

  7. alexis has joined

  8. alexis has left

  9. alexis has joined

  10. daniel has joined

  11. alexis has left

  12. mrdoctorwho has left

  13. js has left

  14. jjrh has left

  15. jjrh has left

  16. j.r has joined

  17. j.r has joined

  18. jjrh has left

  19. lskdjf has joined

  20. l has joined

  21. Dave Cridland has left

  22. Dave Cridland has left

  23. jjrh has left

  24. jjrh has left

  25. j.r has left

  26. jjrh has left

  27. lskdjf has joined

  28. Dave Cridland has left

  29. daniel has left

  30. daniel has joined

  31. lumi has left

  32. j.r has joined

  33. alexis has joined

  34. alexis has left

  35. alexis has joined

  36. daniel has left

  37. alexis has left

  38. jjrh has left

  39. jjrh has left

  40. daniel has joined

  41. alexis has joined

  42. Dave Cridland has left

  43. equil has left

  44. equil has left

  45. daniel has left

  46. daniel has joined

  47. daniel has left

  48. Dave Cridland has left

  49. jjrh has left

  50. UsL has joined

  51. daniel has joined

  52. mrdoctorwho has joined

  53. alexis has left

  54. daniel has left

  55. jjrh has left

  56. jjrh has left

  57. daniel has joined

  58. daniel has left

  59. jjrh has left

  60. daniel has joined

  61. daniel has left

  62. Dave Cridland has left

  63. jjrh has left

  64. alexis has joined

  65. alexis has left

  66. alexis has joined

  67. daniel has joined

  68. alexis has left

  69. alacer has joined

  70. alexis has joined

  71. alacer has left

  72. alacer has joined

  73. alexis has left

  74. daniel has left

  75. alexis has joined

  76. jjrh has left

  77. jjrh has left

  78. alexis has left

  79. Yagiza has joined

  80. daniel has joined

  81. alexis has joined

  82. jjrh has left

  83. MattJ has joined

  84. alexis has left

  85. alacer has left

  86. alacer has joined

  87. jjrh has left

  88. UsL has joined

  89. jjrh has left

  90. alexis has joined

  91. alexis has left

  92. Neustradamus has left

  93. alexis has joined

  94. alexis has left

  95. alexis has joined

  96. Dave Cridland has left

  97. jjrh has left

  98. jjrh has left

  99. alexis has left

  100. alexis has joined

  101. alexis has left

  102. alexis has joined

  103. alexis has left

  104. alexis has joined

  105. jjrh has left

  106. alexis has left

  107. alexis has joined

  108. jjrh has left

  109. alacer has left

  110. alacer has joined

  111. alexis has left

  112. alexis has joined

  113. alexis has left

  114. alexis has joined

  115. jjrh has left

  116. jjrh has left

  117. alexis has left

  118. alexis has joined

  119. alexis has left

  120. equil has left

  121. UsL has joined

  122. alexis has joined

  123. alexis has left

  124. Dave Cridland has left

  125. alexis has joined

  126. jjrh has left

  127. UsL has joined

  128. jjrh has left

  129. alexis has left

  130. alexis has joined

  131. alexis has left

  132. alexis has joined

  133. Dave Cridland has left

  134. alexis has left

  135. alexis has joined

  136. jjrh has left

  137. alexis has left

  138. alexis has joined

  139. alexis has left

  140. alexis has joined

  141. alexis has left

  142. equil has left

  143. equil has left

  144. jjrh has left

  145. alexis has joined

  146. alexis has left

  147. alexis has joined

  148. alexis has left

  149. alexis has joined

  150. jjrh has left

  151. jjrh has left

  152. alexis has left

  153. Dave Cridland has left

  154. alexis has joined

  155. alexis has left

  156. alexis has joined

  157. alexis has left

  158. alexis has joined

  159. blabla has left

  160. alexis has left

  161. alexis has joined

  162. jjrh has left

  163. alexis has left

  164. alexis has joined

  165. alexis has left

  166. alexis has joined

  167. ta has joined

  168. alexis has left

  169. jjrh has left

  170. jjrh has left

  171. alacer has left

  172. alacer has joined

  173. labdsf has left

  174. labdsf has joined

  175. labdsf has left

  176. labdsf has joined

  177. jjrh has left

  178. Dave Cridland has left

  179. daniel has left

  180. daniel has joined

  181. alexis has joined

  182. SamWhited has left

  183. labdsf has left

  184. labdsf has joined

  185. j.r has joined

  186. jjrh has left

  187. alexis has left

  188. j.r has joined

  189. jjrh has left

  190. ThibG has left

  191. ThibG has joined

  192. j.r has left

  193. j.r has joined

  194. jjrh has left

  195. Dave Cridland has left

  196. mimi89999 has left

  197. mimi89999 has left

  198. mimi89999 has joined

  199. Guus has left

  200. jjrh has left

  201. ta has left

  202. jjrh has left

  203. Guus has joined

  204. alacer has left

  205. moparisthebest has joined

  206. Dave Cridland has left

  207. jjrh has left

  208. lorddavidiii has joined

  209. alexis has joined

  210. alexis has left

  211. jjrh has left

  212. Dave Cridland has left

  213. Dave Cridland has joined

  214. jjrh has left

  215. ta has joined

  216. labdsf has left

  217. labdsf has joined

  218. j.r has joined

  219. karp has left

  220. karp has joined

  221. labdsf has left

  222. lorddavidiii has left

  223. lorddavidiii has joined

  224. jjrh has left

  225. jjrh has left

  226. Neustradamus has left

  227. alacer has joined

  228. alexis has joined

  229. alexis has left

  230. jjrh has left

  231. jjrh has left

  232. alacer has left

  233. Dave Cridland has left

  234. Dave Cridland has joined

  235. Str4tocaster has joined

  236. karp has left

  237. karp has joined

  238. karp has left

  239. karp has joined

  240. karp has left

  241. karp has joined

  242. Str4tocaster has left

  243. alexis has joined

  244. alexis has left

  245. jjrh has left

  246. jjrh has left

  247. alexis has joined

  248. goffi has joined

  249. alexis has left

  250. andy has joined

  251. j.r has joined

  252. Dave Cridland has left

  253. alexis has joined

  254. jjrh has left

  255. ta has left

  256. jjrh has left

  257. alexis has left

  258. alexis has joined

  259. lnj has joined

  260. alexis has left

  261. alexis has joined

  262. jjrh has left

  263. jjrh has left

  264. alexis has left

  265. alexis has joined

  266. Dave Cridland has left

  267. alexis has left

  268. alexis has joined

  269. alexis has left

  270. Nekit has joined

  271. blabla has left

  272. jjrh has left

  273. blabla has joined

  274. alexis has joined

  275. jjrh has left

  276. Guus has left

  277. alexis has left

  278. Guus has joined

  279. alexis has joined

  280. j.r has joined

  281. alexis has left

  282. Ge0rG has left

  283. UsL has left

  284. Dave Cridland has left

  285. Guus has left

  286. jjrh has left

  287. Andrew Nenakhov has left

  288. Andrew Nenakhov has joined

  289. Guus has joined

  290. alexis has joined

  291. alexis has left

  292. alexis has joined

  293. andy has left

  294. andy has joined

  295. alexis has left

  296. Alex has joined

  297. alexis has joined

  298. labdsf has joined

  299. Alex has left

  300. alexis has left

  301. jjrh has left

  302. alexis has joined

  303. jjrh has left

  304. Dave Cridland has left

  305. lorddavidiii has left

  306. Guus has left

  307. Guus has joined

  308. alexis has left

  309. Andrew Nenakhov has left

  310. Andrew Nenakhov has joined

  311. mimi89999 has joined

  312. lorddavidiii has joined

  313. jjrh has left

  314. Zash has left

  315. Guus has left

  316. ta has joined

  317. Valerian has joined

  318. alexis has joined

  319. labdsf has left

  320. Valerian has left

  321. Valerian has joined

  322. alexis has left

  323. jjrh has left

  324. Valerian has left

  325. Valerian has joined

  326. Guus has joined

  327. alacer has joined

  328. Alex has left

  329. alexis has joined

  330. blabla has left

  331. jjrh has left

  332. Guus has left

  333. Guus has joined

  334. waqas has left

  335. Zash has joined

  336. alexis has left

  337. Guus has left

  338. alexis has joined

  339. Dave Cridland has left

  340. alexis has left

  341. alexis has joined

  342. Alex has joined

  343. alexis has left

  344. jjrh has left

  345. jjrh has left

  346. alexis has joined

  347. Guus has joined

  348. alexis has joined

  349. alacer has left

  350. labdsf has joined

  351. alexis has left

  352. alexis has joined

  353. jjrh has left

  354. alexis has left

  355. alexis has joined

  356. jjrh has left

  357. Valerian has left

  358. Valerian has joined

  359. alacer has joined

  360. alexis has left

  361. alexis has joined

  362. Guus has left

  363. Guus has joined

  364. alexis has left

  365. alexis has joined

  366. alexis has left

  367. alexis has joined

  368. jjrh has left

  369. Guus has left

  370. alexis has left

  371. mrdoctorwho has left

  372. j.r has joined

  373. mrdoctorwho has joined

  374. Zash has left

  375. Valerian has left

  376. jjrh has left

  377. jjrh has left

  378. Dave Cridland has left

  379. karp has left

  380. Steve Kille has left

  381. lorddavidiii has left

  382. lorddavidiii has joined

  383. Steve Kille has left

  384. Guus has joined

  385. jjrh has left

  386. jjrh has left

  387. l has joined

  388. pep. has left

  389. Guus has left

  390. Guus has joined

  391. Steve Kille has joined

  392. j.r has joined

  393. jjrh has left

  394. Seve/SouL has joined

  395. alexis has joined

  396. alexis has left

  397. alexis has joined

  398. jjrh has left

  399. jjrh has left

  400. alexis has left

  401. alexis has joined

  402. mrdoctorwho has joined

  403. alexis has left

  404. mrdoctorwho has joined

  405. Seve/SouL has left

  406. jjrh has left

  407. jjrh has left

  408. alexis has joined

  409. alexis has left

  410. jjrh has left

  411. jjrh has left

  412. Zash has left

  413. mrdoctorwho has joined

  414. Dave Cridland has left

  415. mrdoctorwho has joined

  416. Guus has left

  417. Guus has joined

  418. jjrh has left

  419. jjrh has left

  420. karp has joined

  421. jjrh has left

  422. jjrh has left

  423. karp has left

  424. karp has joined

  425. Guus has left

  426. Guus has joined

  427. jjrh has left

  428. Guus has left

  429. Dave Cridland has left

  430. jjrh has left

  431. jjrh has left

  432. Guus has joined

  433. blabla has joined

  434. blabla has joined

  435. Dave Cridland has left

  436. Dave Cridland has left

  437. jjrh has left

  438. Dave Cridland has left

  439. Dave Cridland has left

  440. Andrew Nenakhov has left

  441. Andrew Nenakhov has joined

  442. lskdjf has joined

  443. Guus has left

  444. Guus has joined

  445. Andrew Nenakhov has left

  446. Andrew Nenakhov has joined

  447. Guus has left

  448. js has joined

  449. Dave Cridland has left

  450. js has left

  451. jjrh has left

  452. jjrh has left

  453. Guus has joined

  454. Dave Cridland has left

  455. Guus has left

  456. Guus has joined

  457. jjrh has left

  458. Zash has left

  459. Str4tocaster has joined

  460. alexis has joined

  461. Dave Cridland has left

  462. Zash has left

  463. alexis has left

  464. UsL has joined

  465. jjrh has left

  466. alexis has joined

  467. alexis has left

  468. alexis has joined

  469. Zash has joined

  470. Str4tocaster has left

  471. jjrh has left

  472. jjrh has left

  473. Guus has left

  474. Guus has joined

  475. Guus has left

  476. alexis has left

  477. MattJ has joined

  478. alexis has joined

  479. blabla has left

  480. alexis has left

  481. alexis has joined

  482. alexis has left

  483. Guus has joined

  484. jjrh has left

  485. alexis has joined

  486. blabla has joined

  487. alexis has left

  488. Seve/SouL has left

  489. Dave Cridland has left

  490. alexis has joined

  491. jjrh has left

  492. jjrh has left

  493. ThibG has left

  494. alexis has left

  495. alexis has joined

  496. alexis has left

  497. alexis has joined

  498. Guus has left

  499. Guus has joined

  500. alexis has left

  501. Guus has left

  502. jjrh has left

  503. alexis has joined

  504. alexis has left

  505. Guus has joined

  506. alexis has joined

  507. alexis has left

  508. alexis has joined

  509. alexis has left

  510. jjrh has left

  511. jjrh has left

  512. alexis has joined

  513. Dave Cridland has left

  514. alexis has left

  515. Guus has left

  516. Guus has joined

  517. alexis has joined

  518. alexis has left

  519. Dave Cridland has left

  520. Andrew Nenakhov has left

  521. Andrew Nenakhov has joined

  522. blabla has left

  523. alexis has joined

  524. alexis has left

  525. alexis has joined

  526. jjrh has left

  527. Andrew Nenakhov has left

  528. alexis has left

  529. Andrew Nenakhov has joined

  530. jjrh has left

  531. Guus has left

  532. blabla has left

  533. lorddavidiii has left

  534. lorddavidiii has joined

  535. alexis has joined

  536. Guus has joined

  537. Dave Cridland has left

  538. UsL has left

  539. alexis has left

  540. alexis has joined

  541. blabla has joined

  542. alexis has left

  543. jjrh has left

  544. jjrh has left

  545. alexis has joined

  546. Guus has left

  547. Guus has joined

  548. Guus has left

  549. lnj has left

  550. lnj has joined

  551. Zash has left

  552. lskdjf has joined

  553. lskdjf has joined

  554. Guus has joined

  555. Dave Cridland has left

  556. alexis has left

  557. Zash has left

  558. jjrh has left

  559. jjrh has left

  560. alexis has joined

  561. Alex has left

  562. Zash has left

  563. daniel has left

  564. daniel has joined

  565. jjrh has left

  566. jjrh has left

  567. lumi has joined

  568. Guus has left

  569. Guus has joined

  570. jjrh has left

  571. jjrh has left

  572. Guus has left

  573. Guus has joined

  574. alexis has left

  575. Dave Cridland has left

  576. jjrh has left

  577. Guus has left

  578. Guus has joined

  579. lnj has left

  580. lnj has joined

  581. alacer has left

  582. alacer has joined

  583. jjrh has left

  584. jjrh has left

  585. Guus has left

  586. Guus has joined

  587. lumi has left

  588. lumi has joined

  589. alexis has joined

  590. alexis has left

  591. alacer has left

  592. jjrh has left

  593. jjrh has left

  594. alexis has joined

  595. alacer has joined

  596. Kev has joined

  597. 404.city has joined

  598. Dave Cridland has left

  599. lnj has left

  600. lnj has joined

  601. jjrh has left

  602. Kev has left

  603. lnj has left

  604. lnj has joined

  605. alacer has left

  606. alacer has joined

  607. ta has joined

  608. jjrh has left

  609. jjrh has left

  610. alacer has left

  611. labdsf has left

  612. Andrew Nenakhov has left

  613. Andrew Nenakhov has joined

  614. labdsf has joined

  615. Andrew Nenakhov has left

  616. Andrew Nenakhov has joined

  617. Str4tocaster has joined

  618. jjrh has left

  619. jjrh has left

  620. alacer has joined

  621. lumi has left

  622. Andrew Nenakhov has left

  623. Andrew Nenakhov has joined

  624. Andrew Nenakhov has joined

  625. lumi has joined

  626. Str4tocaster has left

  627. Str4tocaster has joined

  628. ThibG has joined

  629. Dave Cridland has left

  630. jjrh has left

  631. jjrh has left

  632. Str4tocaster has left

  633. Str4tocaster has joined

  634. Str4tocaster has left

  635. Valerian has joined

  636. labdsf has left

  637. labdsf has joined

  638. UsL has joined

  639. lorddavidiii has left

  640. lorddavidiii has joined

  641. Guus has left

  642. Guus has joined

  643. moparisthebest has left

  644. jjrh has left

  645. UsL has left

  646. UsL has joined

  647. jjrh has left

  648. Guus has left

  649. Valerian has left

  650. Valerian has joined

  651. Guus has joined

  652. jjrh has left

  653. jjrh has left

  654. Valerian has left

  655. Valerian has joined

  656. labdsf has left

  657. alexis has joined

  658. alexis has left

  659. alexis has joined

  660. Dave Cridland has left

  661. jjrh has left

  662. alexis has left

  663. alexis has joined

  664. alexis has left

  665. labdsf has joined

  666. Valerian has left

  667. UsL has joined

  668. alexis has joined

  669. Guus has left

  670. Guus has joined

  671. jjrh has left

  672. jjrh has left

  673. lorddavidiii has left

  674. alexis has left

  675. Alex has joined

  676. Guus has left

  677. lorddavidiii has joined

  678. alexis has joined

  679. alexis has left

  680. Alex has left

  681. andy has left

  682. Guus has joined

  683. jjrh has left

  684. jjrh has left

  685. daniel has left

  686. daniel has joined

  687. dos

    what would be the best approach to implement "carbons", but for the transport contacts? 🤔 (so the message sent directly through the legacy network can show up in the xmpp conversation)

  688. Guus has left

  689. Guus has joined

  690. equil has left

  691. Neustradamus has left

  692. jjrh has left

  693. jjrh has left

  694. alexis has joined

  695. alacer has left

  696. Neustradamus has joined

  697. alacer has joined

  698. alexis has left

  699. alexis has joined

  700. Ge0rG

    dos: write a new XEP where the transport is allowed to send carbons to a user

  701. alexis has left

  702. Ge0rG

    dos: there was a thread at https://mail.jabber.org/pipermail/standards/2018-January/034224.html

  703. alexis has joined

  704. Guus has left

  705. Ge0rG

    f'up at https://mail.jabber.org/pipermail/standards/2018-February/034267.html

  706. alexis has left

  707. alexis has joined

  708. jjrh has left

  709. jjrh has left

  710. alexis has left

  711. Guus has joined

  712. moparisthebest

    I implemented a, uh, client side transport that way

  713. moparisthebest

    Kind of, it's a dumb echo component so carbons and mam and such just work for free

  714. jonas’

    dos, https://xmpp.org/extensions/xep-0356.html might be interesting in that regard

  715. alacer has left

  716. alacer has joined

  717. jjrh has left

  718. jjrh has left

  719. Guus has left

  720. Guus has joined

  721. alacer has left

  722. alacer has joined

  723. equil has left

  724. goffi

    dos: what kind of transport are you implementing? Will it be publicly available/libre ?

  725. jjrh has left

  726. alexis has joined

  727. j.r has joined

  728. Guus has left

  729. Dave Cridland has left

  730. alexis has left

  731. alexis has joined

  732. lskdjf has left

  733. alexis has left

  734. labdsf has left

  735. Andrew Nenakhov has left

  736. Andrew Nenakhov has joined

  737. jjrh has left

  738. Andrew Nenakhov has left

  739. Andrew Nenakhov has joined

  740. UsL has joined

  741. alacer has left

  742. alexis has joined

  743. jjrh has left

  744. alexis has left

  745. Guus has joined

  746. Holger has left

  747. jjrh has left

  748. labdsf has joined

  749. Guus has left

  750. Guus has joined

  751. labdsf has left

  752. labdsf has joined

  753. Andrew Nenakhov has left

  754. Andrew Nenakhov has joined

  755. labdsf has left

  756. labdsf has joined

  757. Andrew Nenakhov has left

  758. Andrew Nenakhov has joined

  759. labdsf has left

  760. j.r has joined

  761. Andrew Nenakhov has left

  762. Andrew Nenakhov has joined

  763. vanitasvitae has left

  764. jjrh has left

  765. jjrh has left

  766. labdsf has joined

  767. Guus has left

  768. Dave Cridland has left

  769. alexis has joined

  770. Guus has joined

  771. alexis has left

  772. Andrew Nenakhov has left

  773. Andrew Nenakhov has joined

  774. jjrh has left

  775. alexis has joined

  776. peter has joined

  777. jjrh has left

  778. jjrh has left

  779. lskdjf has left

  780. matlag has left

  781. moparisthebest has left

  782. matlag has joined

  783. lskdjf has left

  784. lskdjf has joined

  785. labdsf has left

  786. tux has joined

  787. jjrh has left

  788. Dave Cridland has left

  789. blabla has left

  790. tux has joined

  791. blabla has joined

  792. Guus has left

  793. Guus has joined

  794. vanitasvitae has left

  795. jjrh has left

  796. Guus has left

  797. lovetox has joined

  798. Guus has joined

  799. lorddavidiii has left

  800. !xsf_martin has joined

  801. !xsf_martin has joined

  802. jjrh has left

  803. jjrh has left

  804. Zash has left

  805. waqas has joined

  806. blabla has joined

  807. lorddavidiii has joined

  808. jjrh has left

  809. jjrh has left

  810. waqas has left

  811. ta has joined

  812. Dave Cridland has left

  813. Guus has left

  814. Guus has joined

  815. jjrh has left

  816. lskdjf has left

  817. jjrh has left

  818. Guus has left

  819. waqas has joined

  820. blabla has joined

  821. Steve Kille has left

  822. Steve Kille has left

  823. vanitasvitae has left

  824. jjrh has left

  825. jjrh has left

  826. daniel has left

  827. daniel has joined

  828. Steve Kille has joined

  829. daniel has left

  830. daniel has joined

  831. Tobias has joined

  832. mimi89999 has left

  833. Tobias has joined

  834. jjrh has left

  835. jjrh has left

  836. blabla has joined

  837. equil has left

  838. equil has joined

  839. ThibG has left

  840. ThibG has joined

  841. Alex has joined

  842. Tobias has joined

  843. Tobias has joined

  844. alacer has joined

  845. Zash has left

  846. jjrh has left

  847. muppeth has left

  848. muppeth has joined

  849. labdsf has joined

  850. j.r has joined

  851. Guus has joined

  852. Andrew Nenakhov has left

  853. blabla has joined

  854. jjrh has left

  855. jjrh has left

  856. Dave Cridland has left

  857. Maranda

    hm any client doing scram-sha256?

  858. Andrew Nenakhov has left

  859. alexis has joined

  860. SamWhited

    Maranda: Conversations does, also my dummy test client https://github.com/mellium/communique-tui

  861. Zash has left

  862. Andrew Nenakhov has left

  863. Andrew Nenakhov has joined

  864. jjrh has left

  865. Andrew Nenakhov has joined

  866. jjrh has left

  867. ta has joined

  868. Maranda

    SamWhited, ok giving it a go then, the code *should* already work with it, I just need to change the hash algorithm.

  869. Maranda

    SamWhited, ok giving it a go then, the code *should* already work with it, I just need to change the hash algorithm function.

  870. Maranda

    (and store sha256 keys)

  871. Andrew Nenakhov has left

  872. Andrew Nenakhov has joined

  873. Maranda

    SamWhited, what Conversations does if one mechanism fails?

  874. Maranda

    does it try another?

  875. SamWhited

    Maranda: sort of; it falls back but it's also more complicated than that. If it manages to connect successfully the first time it "pins" the auth mechanism used and will only use one with that or a higher level of security in the future to prevent downgrade attacks

  876. SamWhited

    So if it uses SCRAM-SHA-1 once it will use SCRAM-SHA-256 if support is added, but if that works and it logs in it won't use SCRAM-SHA-1 anymore.

  877. jjrh has left

  878. jjrh has left

  879. Zash

    Problem: How do you upgrade the hashes?

  880. Maranda

    SamWhited, because obviously users will have to change their password to add SHA256 keys

  881. Maranda

    Zash, you don't

  882. Maranda

    Zash, I just save keys for both hashing algorithm figured it was much easier that way

  883. SamWhited

    Zash: do a rolling upgrade when users change passwords?

  884. Maranda

    Indeed

  885. SamWhited

    I don't know what's conventional for servers

  886. Maranda

    SamWhited, but you'll have to save keys for both SHA1 and SHA256

  887. SamWhited

    Maranda: if you want to support both, yes. Otherwise you can just advertise whichever you have keys for for that particular user.

  888. Zash

    You don't know which user it is until they try to auth

  889. SamWhited

    But yah, given that sha-256 isn't wide spread I'd probably keep both

  890. Maranda

    SamWhited, huhu I'd not try with the "not supporting both"

  891. Zash

    They have to pick a mechanism first

  892. SamWhited

    Zash: oh yah, good point, setting "from" isn't required on streams.

  893. SamWhited

    Storing both for now is probably easy enough though

  894. Maranda

    For now code just checks if there're keys for one algorithm if not it'll throw a temporary-auth-failure error.

  895. Maranda

    that's why I asked what Conversations does :P

  896. j.r has joined

  897. Maranda has left

  898. Maranda has left

  899. Maranda has joined

  900. j.r has left

  901. j.r has joined

  902. Dave Cridland has left

  903. ThibG has joined

  904. ThibG has joined

  905. jjrh has left

  906. j.r has left

  907. j.r has joined

  908. Dave Cridland has left

  909. lumi has left

  910. Guus has left

  911. Guus has joined

  912. Guus has left

  913. jjrh has left

  914. jjrh has left

  915. Guus has joined

  916. crowbar.envy has joined

  917. alexis has left

  918. Maranda has left

  919. Maranda has joined

  920. Maranda has left

  921. jjrh has left

  922. Maranda has joined

  923. jjrh has left

  924. Andrew Nenakhov has left

  925. Andrew Nenakhov has joined

  926. derdaniel has left

  927. derdaniel has joined

  928. j.r has left

  929. j.r has joined

  930. j.r has left

  931. j.r has joined

  932. j.r has left

  933. j.r has joined

  934. j.r has left

  935. j.r has joined

  936. Maranda has left

  937. Maranda has joined

  938. jjrh has left

  939. Dave Cridland has left

  940. Zash has left

  941. jjrh has left

  942. Yagiza has left

  943. Maranda has left

  944. Maranda has joined

  945. Maranda has left

  946. j.r has left

  947. j.r has joined

  948. Zash has left

  949. j.r has left

  950. Zash has left

  951. Zash has joined

  952. !xsf_martin has left

  953. !xsf_martin has joined

  954. jjrh has left

  955. jjrh has left

  956. peter has left

  957. jjrh has left

  958. jjrh has left

  959. j.r has joined

  960. equil has left

  961. karp has left

  962. karp has joined

  963. jjrh has left

  964. Yagiza has left

  965. Dave Cridland has left

  966. daniel has left

  967. !xsf_martin has joined

  968. tux has left

  969. Guus has left

  970. Guus has joined

  971. Guus has left

  972. jjrh has left

  973. jjrh has left

  974. !xsf_martin has joined

  975. labdsf has left

  976. Guus has joined

  977. jjrh has left

  978. jjrh has left

  979. labdsf has joined

  980. Andrew Nenakhov has left

  981. Andrew Nenakhov has left

  982. Maranda has joined

  983. Maranda

    SamWhited, what's that tester code you mentioned again?

  984. Andrew Nenakhov has left

  985. Andrew Nenakhov has left

  986. Maranda

    (for SCRAM)

  987. labdsf has joined

  988. SamWhited

    Maranda: https://github.com/mellium/sasl/blob/master/client_test.go

  989. jjrh has left

  990. Dave Cridland has left

  991. SamWhited

    That reminds me, I still really need to implement the server side of scram in that sasl library

  992. jjrh has left

  993. SamWhited has left

  994. SamWhited has left

  995. labdsf has left

  996. labdsf has joined

  997. Maranda

    SamWhited, I'm getting some shenanigan with BinaryXOR being performed on ClientSignature and Proof in final message.

  998. Maranda

    le sigh.

  999. moparisthebest

    So uh, isn't storing sha1 hash of password server side just as bad as plaintext?

  1000. moparisthebest

    And basically same deal with sha256 ?

  1001. moparisthebest

    Seems likely plain auth would be better so you could store it with scrypt or bcrypt?

  1002. SamWhited

    moparisthebest: it's not a sha1 hash, sha1 is just used for data integrity in an hmac

  1003. moparisthebest

    So what's the talk about how it's stored?

  1004. Zash

    PBKDF2

  1005. SamWhited

    A lot of servers store an intermediate step in the SCRAM process or some other hash.

  1006. pep.

    moparisthebest, https://stackoverflow.com/questions/4938906/is-sha1-still-secure-for-use-as-hash-function-in-pbkdf2

  1007. Zash

    To verify bcrypt or scrypt as is, you need the plain text password. SCRAM doesn't require that

  1008. moparisthebest

    I have to read up on SCRAM

  1009. Zash

    You do

  1010. jjrh has left

  1011. equil has joined

  1012. Zash

    It's not comparable with bcrypt. It uses PBKDF2 which does that kind of job, but then there is XOR magic.

  1013. jjrh has left

  1014. Zash has left

  1015. SamWhited

    moparisthebest: TL;DR when you want to upgrade, for example, a web apps password from bcrypt and salted to something else, say PBKDF2 or argon2, you wait for the user to log in, then you hash the password with bcrypt, compare to make sure it's the right one, then hash it with the new thing and save the new hash. However, with SCRAM you never actually send the password, you send a verifiable proof that you possess the password, but there's no way to upgrade that proof to a proof for a different scheme.

  1016. jonas’

    SCRAM is a pretty amazing thing

  1017. jonas’

    SamWhited, unless you force the user to change passwords

  1018. jonas’

    or downgrade to PLAIN only, which is what I did. (and which Conversations didn’t let me do painlessly)

  1019. jonas’

    (which is a good thing imo)

  1020. SamWhited

    Right, we don't currently have a good way to force upgrades.

  1021. SamWhited

    It could be done because SCRAM performs mutual authentication, so once the server is authenticated to the client it could send a "please send your password in plain and upgrade to SCRAM-SHA-256" message, but we don't have a way to do that currently.

  1022. pep.

    IBR doesn't even do SCRAM, which is something I wanted to tackle, but I'll pass the baton to whomever says a word about it :P

  1023. Guus has left

  1024. Maranda has joined

  1025. SamWhited

    pep. feel free to provide feedback or implementations of https://xmpp.org/extensions/xep-0389.html

  1026. pep.

    oh

  1027. SamWhited

    It needs a lot more work, but part of the idea was to let IBR use regular SASL mechanisms

  1028. pep.

    Thanks, I completely missed it

  1029. jonas’

    SamWhited, seems like a thing which SASL2 could do

  1030. jonas’

    (the upgrade thing)

  1031. SamWhited

    yah, it's probably something we should think about.

  1032. Maranda has joined

  1033. jjrh has left

  1034. Maranda has left

  1035. Maranda has joined

  1036. jjrh has left

  1037. crowbar.envy has left

  1038. SamWhited

    Although, it could probably be backwards compatible by just defining a message the server can send to the client at any time that tells it "clear any pinned auth mechanisms" then the server could force a reconnect and only offer PLAIN the next time.

  1039. pep.

    That kind of defeats the point of doing SCRAM no?

  1040. SamWhited

    pep. no, because it would only happen after you've authed the server

  1041. pep.

    What do you mean

  1042. SamWhited

    You know you're talking to the correct server, so starting over and using something it can generate hashes from is fine

  1043. pep.

    But the point of SCRAM for me is that the server doesn't know about your plaintext password. So if you do PLAIN ~

  1044. Guus has joined

  1045. dos

    jonas’: thanks, haven't though about 356 for that :)

  1046. SamWhited

    pep. I suppose that's fair

  1047. SamWhited

    It seems much better to have a way to flexibly and rapidly upgrade auth mechanisms when an attack is discovered than to worry about a server secretly storing your password when it probably got it at some point when you registered anyways

  1048. jjrh has left

  1049. SamWhited

    It could also just be a "clear your SCRAM-bits cache and don't start from the intermediate step" message too though, I suppose.

  1050. Tobias has left

  1051. Tobias has joined

  1052. pep.

    You still need to use some protocol to set your password right with SCRAM, does that exist in 389? I haven't read through. TBH I don't mind doing PLAIN with clients that don't support, they should update, that's not my fault. But if possible I want to keep the assumptions the user has with me

  1053. dos

    goffi: so far I'm just looking at improving spectrum2; my goal is to have proper facebook, hangouts, discord and maybe matrix bridging for use by me and my friends

  1054. SamWhited

    pep. no, 0398 just provides a way for you to define challenges. It was my intention to define a SASL one.

  1055. pep.

    ok

  1056. iiro.laiho has joined

  1057. SamWhited

    But it does add the ability for us to do that

  1058. SamWhited

    Actually, that one should probably just be one of the mandatory ones that's included in 0398 itself. Right now there's just one for submitting a form like in regular IBR

  1059. Zash has left

  1060. Neustradamus has left

  1061. Neustradamus has joined

  1062. iiro.laiho has left

  1063. jjrh has left

  1064. Kev has joined

  1065. Maranda growls

  1066. Maranda

    https://pastebin.com/s4usVWMZ

  1067. jjrh has left

  1068. jjrh has left

  1069. labdsf has left

  1070. moparisthebest

    meh pep. I mean you use a different password with each service anyway, why does it matter if your server has it?

  1071. moparisthebest

    also lets me support same password for xmpp, email, and http auth easily, and with a strong hash on the server

  1072. pep.

    moparisthebest, you do, yes

  1073. pep.

    I am sure 90% of a public service like jabberfr.org doesn't

  1074. moparisthebest

    my question is, is whatever 'part of scram whatever' that your server stores hard to reverse or not?

  1075. pep.

    I also do fwiw. It's not me I'm worried about

  1076. Kev has left

  1077. alacer has left

  1078. alacer has joined

  1079. labdsf has joined

  1080. jjrh has left

  1081. jjrh has left

  1082. SamWhited

    You have to trust the server for the most part anyways, that's part of XMPP's security model and you almost certainly had to send the server your password somehow when you first signed up, so it could have saved it then if it really wanted to

  1083. SamWhited

    So if you're going to worry about other people reusing passwords and the server saving a plain copy of it, you have a lot more work to do.

  1084. lorddavidiii has left

  1085. pep.

    SamWhited, yeah, which is why I also want SCRAM/IBR

  1086. lorddavidiii has joined

  1087. pep.

    step by step

  1088. SamWhited

    Doesn't seem worth bothering with to me; just send the server your password on occasion. It's not significantly worse from a security standpoint, and might even be significantly better since it allows for more agile password hashing schemes in the event that the one you're using is discovered to be flawed.

  1089. SamWhited

    But I dunno, I'm just thinking out loud. Maybe there's an easy way to make SCRAM upgrade-able too.

  1090. js has joined

  1091. pep.

    I wouldn't mind a force password reset fwiw

  1092. peter has joined

  1093. Kev has joined

  1094. Kev has left

  1095. j.r has joined

  1096. pep.

    I guess we do all that to protect against offline attacks. So when for some reason we want to change hashes, we also don't want to keep $old_hash around, otherwise that defeats the point of why we keep hashes in the first place, which makes us lose the ability to authenticate users at all and certainly require another channel :/

  1097. Zash

    moparisthebest: The stuff that SCRAM lets you store is hard to reverse, yes.

  1098. moparisthebest

    but compared to bcrypt/scrypt/?

  1099. jjrh has left

  1100. jjrh has left

  1101. moparisthebest

    like have cryptographers agreed it is *as* hard to reverse as those

  1102. Zash

    moparisthebest: It uses a password stretching function called Password Based Key Derivation Function no 2

  1103. Zash

    I'd put it in the same class of things as bcrypt and scrypt

  1104. Zash

    I wouldn't consider that part all that important, I'm pretty sure you could switch it out for bcrypt/script/whatever and have the overall SCRAM construct still work

  1105. Zash

    Thing is, those password stretching functions take a password and some salt and give you a key. SCRAM magic consists of adding two-three layers of hashes on that and some XOR in a way that lets you store the password *everywhere*

  1106. Zash

    Ie Client can store hashed stuff. Server can store hashed stuff.

  1107. Zash

    Hashed stuff on the wire.

  1108. Maranda

    SamWhited, I'm not sure what's wrong here... apparently bxor is broken by some additional x byte in the proof.

  1109. moparisthebest

    it just sounds very complicated, normally you don't want very complicated in your security proofs

  1110. Zash

    moparisthebest: It's not all that complicated

  1111. Maranda

    it's 21 iterations instead of 20, the 21th is truncated and breaks XOR

  1112. Zash

    moparisthebest: Not sure if you need to understand how it works to understand this description: https://prosody.im/pastebin/6f7b2c8b-8952-458b-a1d2-36d29bacd345

  1113. jjrh has left

  1114. jjrh has left

  1115. SamWhited

    moparisthebest: PBKDF2 is still considered secure, yes. I beleive OWASP recommends it over scrypt and it's usable if you're looking for FIPS compliance

  1116. moparisthebest

    yea just wasn't sure if PBKDF2 was what was stored or not

  1117. SamWhited

    Its weakness is that it can be implemented with very little RAM, scrypt does a better job there

  1118. intosi has left

  1119. intosi has joined

  1120. SamWhited

    Yah, you can store the salted password after passing it through PBKDF2 or you can take an hmac of the salted password and a server or client KEY and store that (the "scram bits"). This is what I always store (for no particular reason other than it's one less thing to do later)

  1121. j.r has joined

  1122. Zash

    "StoredKey" is H(HMAC(PBKDF2(password, salt, i), "Client Key"))

  1123. alacer has left

  1124. alacer has joined

  1125. SamWhited

    ah yah, forgot you re-hash it too

  1126. Zash

    moparisthebest: https://tools.ietf.org/html/rfc5802#section-3

  1127. ThibG has joined

  1128. SamWhited

    OWASP recommendations, FWIW: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

  1129. Dave Cridland has left

  1130. SamWhited

    Hmm, I haven't looked at my SASL implementation in a while, this reminds me that I also need to add some mechanism for caching keys or resuming a calculation so that the user can build a mechanism for caching keys

  1131. SamWhited

    That's going to be a pain to come up with a good API for

  1132. efrit has joined

  1133. jjrh has left

  1134. jjrh has left

  1135. Maranda has left

  1136. Maranda has joined

  1137. js has left

  1138. Maranda has left

  1139. Maranda has joined

  1140. goffi has left

  1141. jjrh has left

  1142. jjrh has left

  1143. lorddavidiii has left

  1144. Alex has left

  1145. ThibG has left

  1146. ThibG has joined

  1147. tux has joined

  1148. jjrh has left

  1149. jjrh has left

  1150. pep.

    SamWhited, moparisthebest, fwiw I'd prefer to avoid passwords at all and use client certs I generate. That can leak I don't actually care.

  1151. Maranda has left

  1152. Maranda has joined

  1153. labdsf has left

  1154. labdsf has joined

  1155. Maranda has left

  1156. Maranda has joined

  1157. Dave Cridland has left

  1158. moparisthebest

    how do you sign in with a new client then?

  1159. moparisthebest

    if you say password I'm going to ask what the point is :)

  1160. jjrh has left

  1161. jjrh has left

  1162. SamWhited

    I'd like something like that where when you sign in with a new client it shows a pop-up on your old client and if you hit yes, you're signed in.

  1163. pep.

    yeah, I was going to say something similar

  1164. pep.

    Not that I have really researched on the subject

  1165. SamWhited

    It's hard to get a good UX that way (see OMEMO which is a pain in the ass to use), but I do think it can be done with a lot of work.

  1166. pep.

    Also you still need another channel for recovery

  1167. SamWhited

    We should probably get a basic password flow working reasonably well first though.

  1168. SamWhited

    Yah, recovery is more or less the same no matter what you have. If you want to be able to recover, you need some other channel. Email or what have you.

  1169. Zash

    What if you have some kind of shared secret that you can remember in your brain?

  1170. pep.

    Somebody said passwords?

  1171. SamWhited

    (IBR2 also supports recovery specifically, FWIW)

  1172. lnj has left

  1173. pep.

    This I really like in 389: A client SHOULD be able to register an account without requiring the user to leave the client. A client MUST be able to use the same mechanism to register an account and to recover a forgotten password (subject to server policy).

  1174. pep.

    Is there a ordering of XEPs that is not by number btw?

  1175. ThibG has joined

  1176. pep.

    By category, by..

  1177. pep.

    Ah there's the page on xmpp.org to filter a bit

  1178. SamWhited

    That SHOULD should probably be relaxed actually; that really heavily depends on the type of service and probably shouldn't be 2119 language.

  1179. pep.

    meh, I think that's the most important part for easy-onboarding

  1180. SamWhited

    Yah, but only if you're doing a purely-XMPP personal server. Specs shouldn't be tailored to those.

  1181. pep.

    right

  1182. SamWhited

    purely-XMPP-public-Jabber-network, that is.

  1183. jjrh has left

  1184. jjrh has left

  1185. pep.

    But then you have to make everything optional in specifications if you want to support every use case

  1186. j.r has left

  1187. j.r has joined

  1188. SamWhited

    I don't want to support every use case, I just don't want to put stupid hard limits in that serve no purpose that everyone will just ignore anyways

  1189. SamWhited

    The recommendation is good, but RFC 2119 language isn't really suitable here

  1190. Syndace has left

  1191. Syndace has joined

  1192. SamWhited

    In other words: we can have a design considerations section, but it shouldn't be normative.

  1193. pep.

    I was saying that more as a general rule, as in, "it's indentally what happens the more use-case you want to support"

  1194. lskdjf has left

  1195. SamWhited

    I agree with that, but that's not what's happening here

  1196. pep.

    k

  1197. SamWhited

    Even if the spec were deliberately an XMPP-only/public jabber spec for some reason, design considerations that are only tangentially related to the spec probably shouldn't be normative 2119 language

  1198. jjrh has left

  1199. jjrh has left

  1200. SamWhited

    (I'm not suggesting that entire line should be removed, in case I'm not being clear: just that it should say "should" instead of "SHOULD")

  1201. daniel has left

  1202. pep.

    I don't think 2119 mandates CAPS does it

  1203. SamWhited

    pep. it does (or at least, an update does, I forget exactly where it says that)

  1204. pep.

    "These words are often capitalized"

  1205. pep.

    So, no

  1206. SamWhited

    8174

  1207. pep.

    oh

  1208. SamWhited

    I'm saying 2119 out of habit

  1209. pep.

    hah, I see

  1210. pep.

    Just for this exact use case :P

  1211. lnj has left

  1212. SamWhited

    But yah, however it's done I just mean that the language in that sentence should not be normative. I assume lowercase does that, but maybe it would just need to be rephrased.

  1213. js has joined

  1214. js has left

  1215. jjrh has left

  1216. jjrh has left

  1217. moparisthebest has left

  1218. lskdjf has joined

  1219. lskdjf has left

  1220. ThibG has left

  1221. ThibG has joined

  1222. peter

    My preference as a spec author is to use MUST, SHOULD, MAY etc. only in caps, and to use other words (ought, might, can, etc.) if the normative force is not intended.

  1223. jjrh has left

  1224. daniel has left

  1225. SamWhited

    Agreed; that's probably a good thing to do to reduce confusion.

  1226. peter

    Precisely.

  1227. js has joined

  1228. jjrh has left

  1229. lumi has joined

  1230. Zash has left

  1231. blabla has left

  1232. blabla has joined

  1233. peter has left

  1234. Dave Cridland has left

  1235. alexis has joined

  1236. thorsten has left

  1237. daniel has left

  1238. daniel has joined

  1239. waqas has left

  1240. thorsten has joined

  1241. SamWhited has left

  1242. alexis has left

  1243. lovetox has left

  1244. js has left

  1245. jjrh has left

  1246. js has joined

  1247. Maranda

    Signature 32 bytes, Proof 20 bytes

  1248. Maranda

    >.>

  1249. Maranda

    SamWhited, that doesn't look right

  1250. Maranda

    (what Conversations does)

  1251. alexis has joined

  1252. alexis has left

  1253. Guus has left

  1254. Guus has joined

  1255. Dave Cridland has left

  1256. alexis has joined

  1257. SamWhited

    I'm not at my desk right now but I did test it against a server impl, it's quite possible something is still wrong though (I'm assuming that's in the scram-sha256 code somewhere?)

  1258. jjrh has left

  1259. alexis has left

  1260. jjrh has left

  1261. alexis has joined

  1262. alexis has left

  1263. alexis has joined

  1264. alexis has left

  1265. alexis has joined

  1266. alexis has left

  1267. jjrh has left

  1268. jjrh has left

  1269. alexis has joined

  1270. waqas has joined

  1271. Dave Cridland has left

  1272. js has left

  1273. moparisthebest has joined

  1274. moparisthebest has joined

  1275. jjrh has left

  1276. 404.city has left

  1277. jjrh has left

  1278. alacer has left

  1279. jjrh has left

  1280. jjrh has left

  1281. Dave Cridland has left

  1282. peter has joined

  1283. alexis has joined

  1284. labdsf has left

  1285. labdsf has joined

  1286. jjrh has left

  1287. jjrh has left

  1288. UsL has joined

  1289. alacer has left

  1290. alacer has joined