MarandaSamWhited, and it's not falling back either on malformed request...
MarandaI'll have to blacklist the mechanism
efrithas joined
SamWhitedOh yah, it doesn't do that, otherwise it would be a potential DOS
SamWhitedIt only falls back if the feature isn't advertised at all and no successful auth has caused a mechanism to be pinned, IIRC
SamWhited*a higher-priority mechanism to be pinned
vanitasvitaehas left
Marandahas left
Marandahas joined
Marandahas left
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
Marandahas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
jjrhhas left
jjrhhas left
peterhas left
Marandahas left
Marandahas left
Marandahas left
Marandahas left
jjrhhas left
jjrhhas left
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
alexishas joined
Dave Cridlandhas left
alexishas left
jjrhhas left
jjrhhas left
peterhas joined
Marandahas left
lskdjfhas left
lhas left
Marandahas joined
alexishas joined
alexishas left
tuxhas left
tuxhas joined
jjrhhas left
Marandahas left
jjrhhas left
lhas left
lhas joined
Marandahas joined
Marandahas left
Marandahas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
Marandahas left
jjrhhas left
Marandahas joined
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
Neustradamushas left
Neustradamushas joined
jjrhhas left
SamWhitedhas left
moparisthebesthas left
lskdjfhas joined
jjrhhas left
lhas joined
jjrhhas left
jjrhhas left
j.rhas joined
j.rhas joined
Dave Cridlandhas left
alacerhas joined
alacerhas left
alacerhas joined
jjrhhas left
jjrhhas left
Yagizahas joined
Yagizahas left
labdsfhas left
labdsfhas joined
Yagizahas left
jjrhhas left
jjrhhas left
alacerhas left
Dave Cridlandhas left
jjrhhas left
Yagizahas left
Yagizahas left
Yagizahas joined
Yagizahas left
jjrhhas left
jjrhhas left
Dave Cridlandhas left
alacerhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
Yagizahas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
peterhas left
jjrhhas left
jjrhhas left
Yagizahas left
Yagizahas left
Yagizahas joined
labdsfhas left
labdsfhas joined
jjrhhas left
Yagizahas left
Dave Cridlandhas left
jjrhhas left
Yagizahas left
Yagizahas joined
Neustradamushas left
jjrhhas left
Yagizahas left
Neustradamushas joined
muppethhas left
Dave Cridlandhas left
jjrhhas left
jjrhhas left
Dave Cridlandhas left
Yagizahas left
Yagizahas left
jjrhhas left
jjrhhas left
labdsfhas left
jjrhhas left
jjrhhas left
lnjhas joined
labdsfhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
moparisthebesthas joined
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
labdsfhas left
danielhas left
danielhas joined
jjrhhas left
jjrhhas left
alacerhas left
alacerhas joined
danielhas left
mimi89999has left
Andrew Nenakhovhas left
Andrew Nenakhovhas left
lorddavidiiihas joined
Andrew Nenakhovhas joined
danielhas joined
andyhas joined
jjrhhas left
Dave Cridlandhas left
labdsfhas joined
j.rhas left
j.rhas joined
jjrhhas left
alacerhas left
alacerhas joined
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
labdsfhas left
SamWhitedhas left
jjrhhas left
jjrhhas left
Andrew Nenakhovhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
danielhas left
danielhas joined
jjrhhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
j.rhas joined
vinx55has joined
ralphmhas left
Str4tocasterhas joined
karphas left
karphas joined
Zashhas left
ralphmhas joined
danielhas left
danielhas joined
jjrhhas left
jjrhhas left
jjrhhas left
vinx55has left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Str4tocasterhas left
vinx55has joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
vinx55has left
valohas joined
valohas joined
thorstenhas joined
Dave Cridlandhas left
jjrhhas left
Zashhas left
lorddavidiiihas left
karphas left
karphas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
lorddavidiiihas joined
Nekithas joined
Dave Cridlandhas left
jjrhhas left
Dave Cridlandhas left
jjrhhas left
karphas left
karphas joined
Zashhas left
Guushas left
Zashhas joined
Guushas joined
Andrew Nenakhovhas left
flowhas joined
Andrew Nenakhovhas joined
lnjhas left
jjrhhas left
lnjhas joined
jjrhhas left
j.rhas joined
goffihas joined
jjrhhas left
Dave Cridlandhas left
Str4tocasterhas joined
Dave Cridlandhas left
Str4tocasterhas left
Str4tocasterhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
edhelaswas there some discussions regarding the GDPR and the usage of transports with XMPP ?
Seve/SouLhas joined
Dave Cridlandhas left
Str4tocasterhas left
Dave Cridlandhas left
Dave Cridlandhas joined
404.cityhas joined
jjrhhas left
Dave Cridlandhas left
Kevhas joined
Dave Cridlandhas joined
Kevhas left
jjrhhas left
Neustradamushas left
Dave Cridlandhas left
Neustradamushas joined
Dave Cridlandhas joined
j.rhas joined
flowhas left
flowhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
flowhas left
jjrhhas left
jjrhhas left
UsLhas joined
mrdoctorwhohas left
Dave Cridlandhas left
waqashas left
jjrhhas left
jjrhhas left
jjrhhas left
karphas left
jjrhhas left
winfriedhas joined
jjrhhas left
Dave Cridlandhas left
lhas joined
jjrhhas left
jjrhhas left
winfriedhas joined
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
winfriedhas joined
jjrhhas left
jjrhhas left
Steve Killehas left
Steve Killehas left
Guushas joined
Nekithas left
Nekithas joined
j.rhas joined
Dave Cridlandhas left
lnjhas left
jjrhhas left
edhelas> and Mojave completes the transition by pulling out Jabber support
Andrew Nenakhovhas joined
ZashWho
vanitasvitaehas left
vanitasvitaehas left
jjrhhas left
jjrhhas left
edhelasmacOS Mojave, the state of XMPP in iMessage was already bad, now it's gone
jjrhhas left
edhelasso leave us with not much actually
edhelasDino doesn't has a stable built yet for macOS, Adium is based on libpurple, there's maybe Swift
edhelasand Movim but it's an Electron client :p
jonas’gajim?
mrdoctorwhohas joined
edhelasyes indeed
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
mrdoctorwhohas left
jjrhhas left
jjrhhas left
derdanielhas left
derdanielhas joined
efrithas left
jjrhhas left
jjrhhas left
Zashhas left
equilhas left
ZashMonal?
jjrhhas left
Neustradamushas left
Str4tocasterhas joined
Zashhas left
Str4tocasterhas left
Str4tocasterhas joined
Neustradamushas joined
jjrhhas left
moparisthebesthas left
jjrhhas left
flowhas joined
Dave Cridlandhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
lskdjfhas joined
goffiCagou (SàT) is working on Mac OS, but need people to test it (I have no Mac myself)
Andrew Nenakhovhas joined
Dave Cridlandhas left
jjrhhas left
lnjhas left
Dave Cridlandhas left
Str4tocasterhas left
mrdoctorwhohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Dave Cridlandhas left
jjrhhas left
ThibGhas left
ThibGhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Zashhas left
lnjhas joined
jjrhhas left
muppethhas joined
labdsfhas joined
Zashhas left
Seve/SouLhas left
jjrhhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
Nekithas left
Dave Cridlandhas left
Nekithas joined
labdsfhas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
labdsfhas joined
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
alacerhas left
Andrew Nenakhovhas joined
j.rhas joined
jjrhhas left
labdsfhas left
jjrhhas left
labdsfhas joined
lhas left
jjrhhas left
jjrhhas left
Kevhas joined
Kevhas left
equilhas left
equilhas left
equilhas left
ThibGhas joined
ThibGhas joined
j.rhas joined
jjrhhas left
jjrhhas left
andyhas left
Zashhas left
jjrhhas left
Dave Cridlandhas left
peterhas joined
Dave Cridlandhas left
Str4tocasterhas joined
peterhas left
Nekithas left
Nekithas joined
danielhas left
danielhas joined
Str4tocasterhas left
labdsfhas left
labdsfhas joined
jjrhhas left
jjrhhas left
Alexhas joined
j.rhas joined
alacerhas joined
Nekithas left
alacerhas left
alacerhas joined
jerehas joined
jjrhhas left
jjrhhas left
Nekithas joined
Alexhas left
Tobiashas joined
Tobiashas joined
winfriedhas left
Zashhas left
Steve Killehas joined
jjrhhas left
jjrhhas left
j.rhas joined
Holgerhas left
j.rhas joined
winfriedhas joined
valohas left
valohas joined
jjrhhas left
jjrhhas left
labdsfhas left
Guushas joined
Guushas joined
j.rhas left
j.rhas joined
jjrhhas left
j.rhas left
j.rhas joined
jjrhhas left
moparisthebesthas left
!xsf_martinhas left
alacerhas left
alacerhas joined
dosthere's Monal, but it still feels somewhat beta, especially regarding MUCs
Ge0rGAnd it's absent from the EU.
dosI've tried it when looking for a client for gf, but eventually opted to fixing movim's electron client, it really felt like the best xmpp chat option on macOS :P
dosI'm in Poland and I downloaded it from the app store... month ago?
dosbut it might be absent on iOS
ZashGDPR FUD ey?
doswell, yeah, when I read the blog post on Monal site I facepalmed pretty hard xd
ThibGhas joined
peterhas joined
dosit would be way more understandable for Movim to have such concerns, but Monal?
jjrhhas left
dosI mean... unless there's something in Monal we don't know about ( ͡° ͜ʖ ͡°)
alacerhas left
edhelasMaybe for Movim as well ( ͡° ͜ʖ ͡°)
peterhas left
doshas left
moparisthebestSpeaking as a service operator who has 'banned EU residents' we don't really care if you use it, just don't want to be bothered with GDPR crap
Link MauveBecause it’s so hard to just not sell our data, and to allow us to retrieve or delete it.
doshas joined
moparisthebestWill I can lie to your face and swear I've audited everything and I'm compliant
moparisthebestOr just not bother
moparisthebestI'm probably compliant, just don't care
jjrhhas left
jjrhhas left
j.rhas left
j.rhas joined
j.rhas left
j.rhas joined
j.rhas joined
j.rhas joined
j.rhas left
j.rhas joined
Andrew Nenakhovhas left
ThibGhas joined
ThibGhas joined
j.rhas left
j.rhas joined
jjrhhas left
labdsfhas joined
MarandaToo bad that GDPR protects nothing basically, and causes only annoyances to operators and ultimately users. One of those proper "EU style" things.
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
MarandaLike the latest filter shit they came out with, that's just brilliant.
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
lumihas joined
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
moparisthebestyep Maranda basically that
moparisthebestGDPR compliance costs google and facebook nothing, they already have a million engineers, customer service, and lawyers
Dave Cridlandhas left
moparisthebestmeanwhile now I have to know journald's default retention period, make sure it doesn't change with updates, document it somewhere public, hire an EU rep, then have a lawyer check over everything and declare if I'm GDPR compliant or not?
SamWhitedhas left
SamWhitedhas joined
moparisthebestor... I can just tell EU residents to buzz off and not think about it. :D
MarandaAnd they can pay the fines anyways or refuse to, and eventually just bury EU under tons of stamped paper.
ZashIt got kinda tiresome to read that kind of thing in May.
jjrhhas left
Maranda🤣
Ge0rGespecially as most of it is wrong.
ZashAs I said before,
> GDPR FUD ey?
moparisthebestGe0rG, allow me to simplify, if not required by law, is it easier to care about it or not care about it? :)
Ge0rGmoparisthebest: if you want to use my data, you better know where it's stored
jjrhhas left
moparisthebestGe0rG, so you know the retention period of every log on every server, and go line by line over all code changes every update to make sure it doesn't change?
moparisthebestcause, that sounds like a lot of work compared to 'not caring'
Yagizahas left
dosGDPR doesn't care about your "every log"
Ge0rGmoparisthebest: in the strictest sense I've seen so far, you need to ensure that if you roll back a backup, all accounts deleted since that backup will be deleted after the rollback
jjrhhas left
moparisthebestand that means what for IRC
moparisthebestalso, by definition, if my server explodes and I have to restore from backup, how would I ever know which accounts had been deleted in between date-of-last-backup and server-explosion
moparisthebestthat's an insane requirement
Ge0rGmoparisthebest: since when does an IRC server store *anything*?
moparisthebestservices and logs
Ge0rGmoparisthebest: I'm not sure if you are attempting to be ignorant or arrogant here. I'm sure you haven't missed first my and then the XSF announcement of an XMPP server data privacy template. You could have just copied the relevant section about logging from there.
lumihas joined
moparisthebestseriously though, with any type of service, if you are restoring from backup you presumably don't have any data from before that backup right?
moparisthebestsuch as, what accounts were deleted
Ge0rGSorry, I have some real work to be done. If you need further assistance, I can ask my emplyer for a consulting offer :P
moparisthebestthanks for confirming what I said about google/facebook being able to afford GDPR compliance and normal people not being able to
SamWhitedAs far as I can tell the GDPR is mostly perfectly reasonable requirements, unlike most of the tech laws that come out of europe. If you can't afford compliance, you're probably either misunderstanding and aren't covered by it or shouldn't be operating a service that stores other peoples private data.
Ge0rGmoparisthebest: the good thing is that normal people will not be held to the same standards as Google.
moparisthebestgood thing is people outside the insanity that is EU won't be held to those insane standards at all
ZashYeah the requirements and therefore costs seemed to scale with size well enough
SamWhitedWhat's insane about requiring that you disclose who you're sharing user data with and making it easy for them to ask you to purge it? That seems perfectly reasonable.
Ge0rGmoparisthebest: oh, right. It's much better to live in a country where your ISP is free to datamine you, sell your location data to the highest bidder, to slow down your video streaming and to inject ads into your traffic.
moparisthebestall networks are to be treated as an attacker, that's what encryption/authentication is for
moparisthebestnot 'please don't look at my data sir'
SamWhitedSo encrypt your data? The law heavily encourages that because you're more responsible for losing your users data
Ge0rGmoparisthebest: oh, great. Now tell me about that magic protocol that will protect my traffic from all analysis, even from traffic pattern recognition
Ge0rGand don't say "use VPN" because the VPN provider is obviously subject to the same (lack of) laws
moparisthebestare ISPs doing that now, I thought only govts that aren't affected by these laws did that anyhow
moparisthebestdoesn't seem like there would be a lot of money in it
SamWhitedNone of this has anything to do with the law other than that it encourages is by making you more responsible though. I'm not even sure what the encryption thing was about, are you suggesting the law should have been *more* specific and required it?
Andrew Nenakhovhas joined
Ge0rGSamWhited: I think moparisthebest was speaking of encryption as a means for users to protect themselves from data collection
SamWhitedGe0rG: which is fine, I just don't see what that has to do with this argument unless it's just a strawman
moparisthebestSamWhited, I'm suggesting laws are useless with regard to internet privacy, and that encryption is the only option
SamWhitedIf nothing else tons of companies have now put "Delete account" buttons on their product, which sounds great. That's not useless.
Andrew Nenakhovhas joined
SamWhitedThey also are making lists of all the people that they're selling or otherwise sharing my data with, which has been very nice.
Andrew Nenakhovhas left
Link Mauvemoparisthebest, now please tell me how to encrypt my Facebook friends in a way to prevent Facebook from knowing them.
Andrew Nenakhovhas joined
SamWhitedSo it doens't appear that laws related to the internet are useless, quite the contrary, it's been fantastic.
Link MauveAnd from selling this graph to some other companies.
Andrew Nenakhovhas left
Ge0rGSamWhited: nice but illegal. Almost none of the big data-selling news outlets actually honor the opt-in requirement
Ge0rGSamWhited: and most just say "if you don't want our tracking, delete your cookies"
SamWhitedGe0rG: so your argument is that some people won't follow laws, so we shouldn't have any?
Ge0rGSamWhited: not at all. As a user, I love the GDPR
Link MauveGe0rG, now let’s wait until enough of their users sue them.
Link MauveNow that the EU introduced class actions too.
ZashWhat if we have both laws and tech to back them up?
moparisthebestLink Mauve, easy, if you don't give them the data, they don't have it
Ge0rGmoparisthebest: you can't not give your data to a web site you are visiting
SamWhitedAnyways, I'm a big fan. It gets me frustrated when people dismiss it as another link tax sort of law that doesn't make sense, having implemented it at two companies where it *definitely* made the users data safer
Link Mauvemoparisthebest, I can also throw away my computer and start growing potatoes, but that’s not something most people will want to do.
Link MauveAlso, I am able to understand the implications of giving my data to Facebook, while most people aren’t.
SamWhitedYah, if you have superpowers and can convince everyone to get off facebook, great, do that. In the mean time, since they're already on it, we need some sort of law that requires that Facebook plays nicely when they leave and cleans up their data.
Ge0rGexcept that facebook isn't following the law, so we'll see some major fines in the next five to twenty years.
moparisthebestso what's your opinion of latest EU laws? the actual link tax, and forced filtering of all uploaded content?
moparisthebestare those good like GDPR too or is that over the line?
moparisthebestI haven't seen the prosody or ejabberd modules to scan all stanzas for copyright violations that will be required either so
Ge0rGmoparisthebest: those are utter junk, pushed forward by big media lobbying
SamWhitedThose don't make any sense and are garbage because they're pretty much impossible to follow. The GDPR just lists basic data protections you should have been doing anyways
SamWhitedBut I also haven't helped implement those anywhere, so I don't really know who has to follow them or what the specific details are.
Dave Cridlandhas left
moparisthebestI agree the general basis of the GDPR is good general data practice to follow, I think it's both unenforceable in general and onerous to small operators though, and shouldn't really be a law, meh
SamWhitedGod I wish we had something similar here; I'm sure it's not perfect, but I'm pretty okay with it being onerous if those small operators weren't bothering to protect my data before
Ge0rGmoparisthebest: it wouldn't have become a law if everybody was respecting users' privacy from day 1
SamWhitedAs for unenforceable, I have no idea. We'll see if fines start rolling out or not I guess. But even if it's unenforceable, it's made two companies I've worked for improve their practices, so it seems to be doing good either way.
Ge0rGand I'm sure it will be enforced.
Ge0rGIt just takes time. Significant time. Have a look at the timeframe of the Google Android antitrust case.
SamWhitedyah, I don't see why it wouldn't be, it seems straight forward enough… we may not have similar laws in the U.S., but people complain to the FCC about Google and then Google gets fined all the time. This seems to be the same just with more teeth.
Holgerhas left
j.rhas joined
SamWhited(or whomever, Google's just a good stand in for "large company doing things they probably shouldn't be")
Ge0rGHeh
lskdjfhas left
lskdjfhas joined
Andrew Nenakhovhas left
j.rhas left
Andrew Nenakhovhas left
j.rhas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas left
j.rhas joined
Marandahas joined
karphas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
edhelasok let's move the discussion there Link Mauve
edhelaswhat is the current supports of the code 104 in XMPP clients ?
peterhas joined
Yagizahas left
Nekithas left
waqashas joined
lorddavidiiihas left
lorddavidiiihas joined
Yagizahas left
ThibGhas joined
ThibGhas joined
Zashhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
lovetoxhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
alacerhas joined
Yagizahas left
j.rhas left
j.rhas joined
tahas joined
edhelasI'm currently having some though on that XEP and I'd like to propose some changes to generalize it
ThibGhas joined
edhelasthe core idea of this XEP is to expose the vcard hash in the bare MUC JID disco#info and notify it using a message 104
edhelasI'd like to propose to do that for also disco#info of Pubsub nodes and all JIDs (including users ones)
edhelasthe notification will then be done using a message for MUC, presence or message for users and pubsub message for Pubsub nodes
edhelasthen we basically cover all the cases using the same core mechanism
alacerhas left
SamWhitedhas left
tuxhas left
Kevhas joined
Kevhas left
Andrew Nenakhovhas left
lhas joined
lhas joined
marchas joined
tahas joined
SamWhitedhas left
jjrhhas left
jjrhhas left
tahas left
valohas left
valohas joined
labdsfhas left
labdsfhas joined
labdsfhas left
labdsfhas joined
SamWhitedhas left
Marandahas left
Marandahas joined
jonas’has left
jonas’has left
SamWhitedhas left
jonas’has left
jonas’has joined
jonas’has left
jonas’has joined
Ge0rGhas joined
tahas joined
lskdjfhas left
lskdjfhas joined
jjrhhas left
jjrhhas left
marchas left
alacerhas joined
Dave Cridlandhas left
Dave Cridlandhas left
marchas joined
MarandaSamWhited, if eventually you wanna have some fun ™️ https://conference.gajim.org:5281/pastebin/cd179f64-2dff-4968-9b36-c45b874b48fa
Maranda:D
dwdhas joined
SamWhitedMy SCRAM implementation can take any generic hash algorithm, so they're already implemented. On the other hand, those aren't actually defined anywhere and haven't been vetted, so probably not a good idea to use them :)
dwdhas left
jonas’which are not?
SamWhitedAnything other than SHA1 and SHA256, to my knowledge
jonas’right
jonas’although, I think SCRAM doesn’t care *too* much about the hash, as long as the hash is reversible; i.e. it should be as safe as any as long as the hash used is safe
jonas’(that’s a property of PBKDF2 even)
Dave Cridlandhas left
SamWhitedYah, it should be safe, but probably best not to use random hash algorithms that aren't defined anywhere for no reason; SHA-1 and SHA-256 are both fine.
dwdhas joined
dwdhas left
jonas’hmmm
SamWhitedKafka supports SCRAM-SHA-512 for some reason, so I guess you could use it with that
Dave Cridlandhas left
dwdhas joined
Yagizahas left
jonas’Maranda, if you just want to poke at your implementation, aioxmpp should support all of those (if your build of python has them).
jonas’you’d have to play some tricks to force it to use a specific one of them though)
j.rhas joined
SamWhitedugg, does aiosasl support all these too? That makes me sad
Maranda👍
jonas’SamWhited, I don’t see a convincing argument for *not* allowing other variants of the SHA-2 family if one variant of the SHA-2 family is specified
SamWhitedWhere security is concerned, just randomly changing things because it has a bigger number or whatever probably isn't a good idea. I can't imagine how this would go wrong, but for compatibility if nothing else it makes me sad that people are implementing them and other people consuming the library who don't know any better will think it's osmething to use
dwdhas left
SamWhitedI don't see a convincing argument to implement them, and as far as I'm concerned the burden of proof should be on that side of things whenver auth is concerned.
jonas’to be honest, I somewhat assumed that they were specified due to the wildcard in the IANA registry
j.rhas joined
SamWhitedOh, interesting; I could be wrong. I didn't see an RFC though, does the IANA registry link to a document?
jonas’I guess technically this is just a reservation of the SCRAM- prefix
SamWhitedOh, yah, that's just a reservation for the entire familyl
jonas’
Note to future SCRAM-mechanism designers: each new SASL SCRAM
mechanism MUST be explicitly registered with IANA within the SASL
SCRAM Family Mechanisms registry.
jonas’yeah
jonas’that’s pretty explicit
jonas’also a very convincing argument to remove support
jonas’SamWhited, there you go https://github.com/horazont/aiosasl/issues/6
jonas’the "minimum iteration count" parameter of the registry is interesting, too
Yagizahas left
SamWhited♡ thanks; between security concerns and standardization concerns this makes me very happy.
Dave Cridlandhas left
Yagizahas left
dwdhas joined
Marandahm, interesting, well the implementation in Metronome is SHA digesting algorithm agnostic as well so it doesn't matter.
SamWhitedIt matters in the sense that this is auth which is extremely important and security sensitive. In crypto, tiny insubstantial changes can often have a big impact that we don't forsee; it's not exactly intuitive. I doubt this is a problem, but it doesn't help to add more algorithms for no reason and it *possibly* hurts. Might as well just leave it to the experts and not make up your own crypto.
SamWhitedhas huge pet peeve about this sort of thing
jonas’me too, normally, but I hadn’t seen this as "making up new crypto" to be honest
SamWhitedWell, "changing existing crypto", then. I agree, I can't imagine this possibly causes any problems, but it's also not necessary so why take the risk?
jonas’yeah
MarandaSamWhited, I didn't mean that way :P
SamWhitedHeh, cool; sorry I'm being grumpy about it.
jonas’’tis fine
SamWhitedThis is just the kind of thing where I expect the longer hash will cause some buffer operation to behave slightly differently on some architecture and then suddenly you have a side channel, or something.
MarandaI didn't know they weren't defined either, blame google for returning result on SCRAM-SHA-384 and SCRAM-SHA-512✎
SamWhited(well, I don't "expect" it, but I could see it happening)
MarandaI didn't know they weren't defined either, blame google for returning results on SCRAM-SHA-384 and SCRAM-SHA-512 ✏
jonas’that doesn’t make sense to me, actually
jonas’that would be a fundamental problem of pbkdf2 then
jonas’which I think we would know about
jonas’(we = the cryptography community, thus warning louder against it and deprecating pbkdf2 for that reason)
SamWhitedI was just making up a random example, I agree it's not likely