SamWhited, and it's not falling back either on malformed request...
Maranda
I'll have to blacklist the mechanism
efrithas joined
SamWhited
Oh yah, it doesn't do that, otherwise it would be a potential DOS
SamWhited
It only falls back if the feature isn't advertised at all and no successful auth has caused a mechanism to be pinned, IIRC
SamWhited
*a higher-priority mechanism to be pinned
vanitasvitaehas left
Marandahas left
Marandahas joined
Marandahas left
jjrhhas left
jjrhhas left
jjrhhas left
jjrhhas left
Marandahas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
jjrhhas left
jjrhhas left
peterhas left
Marandahas left
Marandahas left
Marandahas left
Marandahas left
jjrhhas left
jjrhhas left
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
alexishas joined
Dave Cridlandhas left
alexishas left
jjrhhas left
jjrhhas left
peterhas joined
Marandahas left
lskdjfhas left
lhas left
Marandahas joined
alexishas joined
alexishas left
tuxhas left
tuxhas joined
jjrhhas left
Marandahas left
jjrhhas left
lhas left
lhas joined
Marandahas joined
Marandahas left
Marandahas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
Marandahas left
jjrhhas left
Marandahas joined
Marandahas left
Marandahas joined
Marandahas left
Marandahas joined
Neustradamushas left
Neustradamushas joined
jjrhhas left
SamWhitedhas left
moparisthebesthas left
lskdjfhas joined
jjrhhas left
lhas joined
jjrhhas left
jjrhhas left
j.rhas joined
j.rhas joined
Dave Cridlandhas left
alacerhas joined
alacerhas left
alacerhas joined
jjrhhas left
jjrhhas left
Yagizahas joined
Yagizahas left
labdsfhas left
labdsfhas joined
Yagizahas left
jjrhhas left
jjrhhas left
alacerhas left
Dave Cridlandhas left
jjrhhas left
Yagizahas left
Yagizahas left
Yagizahas joined
Yagizahas left
jjrhhas left
jjrhhas left
Dave Cridlandhas left
alacerhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
Yagizahas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
peterhas left
jjrhhas left
jjrhhas left
Yagizahas left
Yagizahas left
Yagizahas joined
labdsfhas left
labdsfhas joined
jjrhhas left
Yagizahas left
Dave Cridlandhas left
jjrhhas left
Yagizahas left
Yagizahas joined
Neustradamushas left
jjrhhas left
Yagizahas left
Neustradamushas joined
muppethhas left
Dave Cridlandhas left
jjrhhas left
jjrhhas left
Dave Cridlandhas left
Yagizahas left
Yagizahas left
jjrhhas left
jjrhhas left
labdsfhas left
jjrhhas left
jjrhhas left
lnjhas joined
labdsfhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
moparisthebesthas joined
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
labdsfhas left
danielhas left
danielhas joined
jjrhhas left
jjrhhas left
alacerhas left
alacerhas joined
danielhas left
mimi89999has left
Andrew Nenakhovhas left
Andrew Nenakhovhas left
lorddavidiiihas joined
Andrew Nenakhovhas joined
danielhas joined
andyhas joined
jjrhhas left
Dave Cridlandhas left
labdsfhas joined
j.rhas left
j.rhas joined
jjrhhas left
alacerhas left
alacerhas joined
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
labdsfhas left
SamWhitedhas left
jjrhhas left
jjrhhas left
Andrew Nenakhovhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
danielhas left
danielhas joined
jjrhhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
j.rhas joined
vinx55has joined
ralphmhas left
Str4tocasterhas joined
karphas left
karphas joined
Zashhas left
ralphmhas joined
danielhas left
danielhas joined
jjrhhas left
jjrhhas left
jjrhhas left
vinx55has left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Str4tocasterhas left
vinx55has joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
vinx55has left
valohas joined
valohas joined
thorstenhas joined
Dave Cridlandhas left
jjrhhas left
Zashhas left
lorddavidiiihas left
karphas left
karphas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
lorddavidiiihas joined
Nekithas joined
Dave Cridlandhas left
jjrhhas left
Dave Cridlandhas left
jjrhhas left
karphas left
karphas joined
Zashhas left
Guushas left
Zashhas joined
Guushas joined
Andrew Nenakhovhas left
flowhas joined
Andrew Nenakhovhas joined
lnjhas left
jjrhhas left
lnjhas joined
jjrhhas left
j.rhas joined
goffihas joined
jjrhhas left
Dave Cridlandhas left
Str4tocasterhas joined
Dave Cridlandhas left
Str4tocasterhas left
Str4tocasterhas joined
Dave Cridlandhas left
jjrhhas left
jjrhhas left
edhelas
was there some discussions regarding the GDPR and the usage of transports with XMPP ?
Seve/SouLhas joined
Dave Cridlandhas left
Str4tocasterhas left
Dave Cridlandhas left
Dave Cridlandhas joined
404.cityhas joined
jjrhhas left
Dave Cridlandhas left
Kevhas joined
Dave Cridlandhas joined
Kevhas left
jjrhhas left
Neustradamushas left
Dave Cridlandhas left
Neustradamushas joined
Dave Cridlandhas joined
j.rhas joined
flowhas left
flowhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
flowhas left
jjrhhas left
jjrhhas left
UsLhas joined
mrdoctorwhohas left
Dave Cridlandhas left
waqashas left
jjrhhas left
jjrhhas left
jjrhhas left
karphas left
jjrhhas left
winfriedhas joined
jjrhhas left
Dave Cridlandhas left
lhas joined
jjrhhas left
jjrhhas left
winfriedhas joined
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
winfriedhas joined
jjrhhas left
jjrhhas left
Steve Killehas left
Steve Killehas left
Guushas joined
Nekithas left
Nekithas joined
j.rhas joined
Dave Cridlandhas left
lnjhas left
jjrhhas left
edhelas
> and Mojave completes the transition by pulling out Jabber support
Andrew Nenakhovhas joined
Zash
Who
vanitasvitaehas left
vanitasvitaehas left
jjrhhas left
jjrhhas left
edhelas
macOS Mojave, the state of XMPP in iMessage was already bad, now it's gone
jjrhhas left
edhelas
so leave us with not much actually
edhelas
Dino doesn't has a stable built yet for macOS, Adium is based on libpurple, there's maybe Swift
edhelas
and Movim but it's an Electron client :p
jonas’
gajim?
mrdoctorwhohas joined
edhelas
yes indeed
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
mrdoctorwhohas left
jjrhhas left
jjrhhas left
derdanielhas left
derdanielhas joined
efrithas left
jjrhhas left
jjrhhas left
Zashhas left
equilhas left
Zash
Monal?
jjrhhas left
Neustradamushas left
Str4tocasterhas joined
Zashhas left
Str4tocasterhas left
Str4tocasterhas joined
Neustradamushas joined
jjrhhas left
moparisthebesthas left
jjrhhas left
flowhas joined
Dave Cridlandhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
lskdjfhas joined
goffi
Cagou (SàT) is working on Mac OS, but need people to test it (I have no Mac myself)
Andrew Nenakhovhas joined
Dave Cridlandhas left
jjrhhas left
lnjhas left
Dave Cridlandhas left
Str4tocasterhas left
mrdoctorwhohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Dave Cridlandhas left
jjrhhas left
ThibGhas left
ThibGhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Zashhas left
lnjhas joined
jjrhhas left
muppethhas joined
labdsfhas joined
Zashhas left
Seve/SouLhas left
jjrhhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
Nekithas left
Dave Cridlandhas left
Nekithas joined
labdsfhas left
alacerhas left
alacerhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
labdsfhas joined
Andrew Nenakhovhas left
jjrhhas left
jjrhhas left
alacerhas left
Andrew Nenakhovhas joined
j.rhas joined
jjrhhas left
labdsfhas left
jjrhhas left
labdsfhas joined
lhas left
jjrhhas left
jjrhhas left
Kevhas joined
Kevhas left
equilhas left
equilhas left
equilhas left
ThibGhas joined
ThibGhas joined
j.rhas joined
jjrhhas left
jjrhhas left
andyhas left
Zashhas left
jjrhhas left
Dave Cridlandhas left
peterhas joined
Dave Cridlandhas left
Str4tocasterhas joined
peterhas left
Nekithas left
Nekithas joined
danielhas left
danielhas joined
Str4tocasterhas left
labdsfhas left
labdsfhas joined
jjrhhas left
jjrhhas left
Alexhas joined
j.rhas joined
alacerhas joined
Nekithas left
alacerhas left
alacerhas joined
jerehas joined
jjrhhas left
jjrhhas left
Nekithas joined
Alexhas left
Tobiashas joined
Tobiashas joined
winfriedhas left
Zashhas left
Steve Killehas joined
jjrhhas left
jjrhhas left
j.rhas joined
Holgerhas left
j.rhas joined
winfriedhas joined
valohas left
valohas joined
jjrhhas left
jjrhhas left
labdsfhas left
Guushas joined
Guushas joined
j.rhas left
j.rhas joined
jjrhhas left
j.rhas left
j.rhas joined
jjrhhas left
moparisthebesthas left
!xsf_martinhas left
alacerhas left
alacerhas joined
dos
there's Monal, but it still feels somewhat beta, especially regarding MUCs
Ge0rG
And it's absent from the EU.
dos
I've tried it when looking for a client for gf, but eventually opted to fixing movim's electron client, it really felt like the best xmpp chat option on macOS :P
dos
I'm in Poland and I downloaded it from the app store... month ago?
dos
but it might be absent on iOS
Zash
GDPR FUD ey?
dos
well, yeah, when I read the blog post on Monal site I facepalmed pretty hard xd
ThibGhas joined
peterhas joined
dos
it would be way more understandable for Movim to have such concerns, but Monal?
jjrhhas left
dos
I mean... unless there's something in Monal we don't know about ( ͡° ͜ʖ ͡°)
alacerhas left
edhelas
Maybe for Movim as well ( ͡° ͜ʖ ͡°)
peterhas left
doshas left
moparisthebest
Speaking as a service operator who has 'banned EU residents' we don't really care if you use it, just don't want to be bothered with GDPR crap
Link Mauve
Because it’s so hard to just not sell our data, and to allow us to retrieve or delete it.
doshas joined
moparisthebest
Will I can lie to your face and swear I've audited everything and I'm compliant
moparisthebest
Or just not bother
moparisthebest
I'm probably compliant, just don't care
jjrhhas left
jjrhhas left
j.rhas left
j.rhas joined
j.rhas left
j.rhas joined
j.rhas joined
j.rhas joined
j.rhas left
j.rhas joined
Andrew Nenakhovhas left
ThibGhas joined
ThibGhas joined
j.rhas left
j.rhas joined
jjrhhas left
labdsfhas joined
Maranda
Too bad that GDPR protects nothing basically, and causes only annoyances to operators and ultimately users. One of those proper "EU style" things.
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Maranda
Like the latest filter shit they came out with, that's just brilliant.
Andrew Nenakhovhas joined
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
lumihas joined
Andrew Nenakhovhas joined
jjrhhas left
jjrhhas left
moparisthebest
yep Maranda basically that
moparisthebest
GDPR compliance costs google and facebook nothing, they already have a million engineers, customer service, and lawyers
Dave Cridlandhas left
moparisthebest
meanwhile now I have to know journald's default retention period, make sure it doesn't change with updates, document it somewhere public, hire an EU rep, then have a lawyer check over everything and declare if I'm GDPR compliant or not?
SamWhitedhas left
SamWhitedhas joined
moparisthebest
or... I can just tell EU residents to buzz off and not think about it. :D
Maranda
And they can pay the fines anyways or refuse to, and eventually just bury EU under tons of stamped paper.
Zash
It got kinda tiresome to read that kind of thing in May.
jjrhhas left
Maranda
🤣
Ge0rG
especially as most of it is wrong.
Zash
As I said before,
> GDPR FUD ey?
moparisthebest
Ge0rG, allow me to simplify, if not required by law, is it easier to care about it or not care about it? :)
Ge0rG
moparisthebest: if you want to use my data, you better know where it's stored
jjrhhas left
moparisthebest
Ge0rG, so you know the retention period of every log on every server, and go line by line over all code changes every update to make sure it doesn't change?
moparisthebest
cause, that sounds like a lot of work compared to 'not caring'
Yagizahas left
dos
GDPR doesn't care about your "every log"
Ge0rG
moparisthebest: in the strictest sense I've seen so far, you need to ensure that if you roll back a backup, all accounts deleted since that backup will be deleted after the rollback
jjrhhas left
moparisthebest
and that means what for IRC
moparisthebest
also, by definition, if my server explodes and I have to restore from backup, how would I ever know which accounts had been deleted in between date-of-last-backup and server-explosion
moparisthebest
that's an insane requirement
Ge0rG
moparisthebest: since when does an IRC server store *anything*?
moparisthebest
services and logs
Ge0rG
moparisthebest: I'm not sure if you are attempting to be ignorant or arrogant here. I'm sure you haven't missed first my and then the XSF announcement of an XMPP server data privacy template. You could have just copied the relevant section about logging from there.
lumihas joined
moparisthebest
seriously though, with any type of service, if you are restoring from backup you presumably don't have any data from before that backup right?
moparisthebest
such as, what accounts were deleted
Ge0rG
Sorry, I have some real work to be done. If you need further assistance, I can ask my emplyer for a consulting offer :P
moparisthebest
thanks for confirming what I said about google/facebook being able to afford GDPR compliance and normal people not being able to
SamWhited
As far as I can tell the GDPR is mostly perfectly reasonable requirements, unlike most of the tech laws that come out of europe. If you can't afford compliance, you're probably either misunderstanding and aren't covered by it or shouldn't be operating a service that stores other peoples private data.
Ge0rG
moparisthebest: the good thing is that normal people will not be held to the same standards as Google.
moparisthebest
good thing is people outside the insanity that is EU won't be held to those insane standards at all
Zash
Yeah the requirements and therefore costs seemed to scale with size well enough
SamWhited
What's insane about requiring that you disclose who you're sharing user data with and making it easy for them to ask you to purge it? That seems perfectly reasonable.
Ge0rG
moparisthebest: oh, right. It's much better to live in a country where your ISP is free to datamine you, sell your location data to the highest bidder, to slow down your video streaming and to inject ads into your traffic.
moparisthebest
all networks are to be treated as an attacker, that's what encryption/authentication is for
moparisthebest
not 'please don't look at my data sir'
SamWhited
So encrypt your data? The law heavily encourages that because you're more responsible for losing your users data
Ge0rG
moparisthebest: oh, great. Now tell me about that magic protocol that will protect my traffic from all analysis, even from traffic pattern recognition
Ge0rG
and don't say "use VPN" because the VPN provider is obviously subject to the same (lack of) laws
moparisthebest
are ISPs doing that now, I thought only govts that aren't affected by these laws did that anyhow
moparisthebest
doesn't seem like there would be a lot of money in it
None of this has anything to do with the law other than that it encourages is by making you more responsible though. I'm not even sure what the encryption thing was about, are you suggesting the law should have been *more* specific and required it?
Andrew Nenakhovhas joined
Ge0rG
SamWhited: I think moparisthebest was speaking of encryption as a means for users to protect themselves from data collection
SamWhited
Ge0rG: which is fine, I just don't see what that has to do with this argument unless it's just a strawman
moparisthebest
SamWhited, I'm suggesting laws are useless with regard to internet privacy, and that encryption is the only option
SamWhited
If nothing else tons of companies have now put "Delete account" buttons on their product, which sounds great. That's not useless.
Andrew Nenakhovhas joined
SamWhited
They also are making lists of all the people that they're selling or otherwise sharing my data with, which has been very nice.
Andrew Nenakhovhas left
Link Mauve
moparisthebest, now please tell me how to encrypt my Facebook friends in a way to prevent Facebook from knowing them.
Andrew Nenakhovhas joined
SamWhited
So it doens't appear that laws related to the internet are useless, quite the contrary, it's been fantastic.
Link Mauve
And from selling this graph to some other companies.
Andrew Nenakhovhas left
Ge0rG
SamWhited: nice but illegal. Almost none of the big data-selling news outlets actually honor the opt-in requirement
Ge0rG
SamWhited: and most just say "if you don't want our tracking, delete your cookies"
SamWhited
Ge0rG: so your argument is that some people won't follow laws, so we shouldn't have any?
Ge0rG
SamWhited: not at all. As a user, I love the GDPR
Link Mauve
Ge0rG, now let’s wait until enough of their users sue them.
Link Mauve
Now that the EU introduced class actions too.
Zash
What if we have both laws and tech to back them up?
moparisthebest
Link Mauve, easy, if you don't give them the data, they don't have it
Ge0rG
moparisthebest: you can't not give your data to a web site you are visiting
SamWhited
Anyways, I'm a big fan. It gets me frustrated when people dismiss it as another link tax sort of law that doesn't make sense, having implemented it at two companies where it *definitely* made the users data safer
Link Mauve
moparisthebest, I can also throw away my computer and start growing potatoes, but that’s not something most people will want to do.
Link Mauve
Also, I am able to understand the implications of giving my data to Facebook, while most people aren’t.
SamWhited
Yah, if you have superpowers and can convince everyone to get off facebook, great, do that. In the mean time, since they're already on it, we need some sort of law that requires that Facebook plays nicely when they leave and cleans up their data.
Ge0rG
except that facebook isn't following the law, so we'll see some major fines in the next five to twenty years.
moparisthebest
so what's your opinion of latest EU laws? the actual link tax, and forced filtering of all uploaded content?
moparisthebest
are those good like GDPR too or is that over the line?
moparisthebest
I haven't seen the prosody or ejabberd modules to scan all stanzas for copyright violations that will be required either so
Ge0rG
moparisthebest: those are utter junk, pushed forward by big media lobbying
SamWhited
Those don't make any sense and are garbage because they're pretty much impossible to follow. The GDPR just lists basic data protections you should have been doing anyways
SamWhited
But I also haven't helped implement those anywhere, so I don't really know who has to follow them or what the specific details are.
Dave Cridlandhas left
moparisthebest
I agree the general basis of the GDPR is good general data practice to follow, I think it's both unenforceable in general and onerous to small operators though, and shouldn't really be a law, meh
SamWhited
God I wish we had something similar here; I'm sure it's not perfect, but I'm pretty okay with it being onerous if those small operators weren't bothering to protect my data before
Ge0rG
moparisthebest: it wouldn't have become a law if everybody was respecting users' privacy from day 1
SamWhited
As for unenforceable, I have no idea. We'll see if fines start rolling out or not I guess. But even if it's unenforceable, it's made two companies I've worked for improve their practices, so it seems to be doing good either way.
Ge0rG
and I'm sure it will be enforced.
Ge0rG
It just takes time. Significant time. Have a look at the timeframe of the Google Android antitrust case.
SamWhited
yah, I don't see why it wouldn't be, it seems straight forward enough… we may not have similar laws in the U.S., but people complain to the FCC about Google and then Google gets fined all the time. This seems to be the same just with more teeth.
Holgerhas left
j.rhas joined
SamWhited
(or whomever, Google's just a good stand in for "large company doing things they probably shouldn't be")
what is the current supports of the code 104 in XMPP clients ?
peterhas joined
Yagizahas left
Nekithas left
waqashas joined
lorddavidiiihas left
lorddavidiiihas joined
Yagizahas left
ThibGhas joined
ThibGhas joined
Zashhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
lovetoxhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
alacerhas joined
Yagizahas left
j.rhas left
j.rhas joined
tahas joined
edhelas
I'm currently having some though on that XEP and I'd like to propose some changes to generalize it
ThibGhas joined
edhelas
the core idea of this XEP is to expose the vcard hash in the bare MUC JID disco#info and notify it using a message 104
edhelas
I'd like to propose to do that for also disco#info of Pubsub nodes and all JIDs (including users ones)
edhelas
the notification will then be done using a message for MUC, presence or message for users and pubsub message for Pubsub nodes
edhelas
then we basically cover all the cases using the same core mechanism
alacerhas left
SamWhitedhas left
tuxhas left
Kevhas joined
Kevhas left
Andrew Nenakhovhas left
lhas joined
lhas joined
marchas joined
tahas joined
SamWhitedhas left
jjrhhas left
jjrhhas left
tahas left
valohas left
valohas joined
labdsfhas left
labdsfhas joined
labdsfhas left
labdsfhas joined
SamWhitedhas left
Marandahas left
Marandahas joined
jonas’has left
jonas’has left
SamWhitedhas left
jonas’has left
jonas’has joined
jonas’has left
jonas’has joined
Ge0rGhas joined
tahas joined
lskdjfhas left
lskdjfhas joined
jjrhhas left
jjrhhas left
marchas left
alacerhas joined
Dave Cridlandhas left
Dave Cridlandhas left
marchas joined
Maranda
SamWhited, if eventually you wanna have some fun ™️ https://conference.gajim.org:5281/pastebin/cd179f64-2dff-4968-9b36-c45b874b48fa
Maranda
:D
dwdhas joined
SamWhited
My SCRAM implementation can take any generic hash algorithm, so they're already implemented. On the other hand, those aren't actually defined anywhere and haven't been vetted, so probably not a good idea to use them :)
dwdhas left
jonas’
which are not?
SamWhited
Anything other than SHA1 and SHA256, to my knowledge
jonas’
right
jonas’
although, I think SCRAM doesn’t care *too* much about the hash, as long as the hash is reversible; i.e. it should be as safe as any as long as the hash used is safe
jonas’
(that’s a property of PBKDF2 even)
Dave Cridlandhas left
SamWhited
Yah, it should be safe, but probably best not to use random hash algorithms that aren't defined anywhere for no reason; SHA-1 and SHA-256 are both fine.
dwdhas joined
dwdhas left
jonas’
hmmm
SamWhited
Kafka supports SCRAM-SHA-512 for some reason, so I guess you could use it with that
Dave Cridlandhas left
dwdhas joined
Yagizahas left
jonas’
Maranda, if you just want to poke at your implementation, aioxmpp should support all of those (if your build of python has them).
jonas’
you’d have to play some tricks to force it to use a specific one of them though)
j.rhas joined
SamWhited
ugg, does aiosasl support all these too? That makes me sad
Maranda
👍
jonas’
SamWhited, I don’t see a convincing argument for *not* allowing other variants of the SHA-2 family if one variant of the SHA-2 family is specified
SamWhited
Where security is concerned, just randomly changing things because it has a bigger number or whatever probably isn't a good idea. I can't imagine how this would go wrong, but for compatibility if nothing else it makes me sad that people are implementing them and other people consuming the library who don't know any better will think it's osmething to use
dwdhas left
SamWhited
I don't see a convincing argument to implement them, and as far as I'm concerned the burden of proof should be on that side of things whenver auth is concerned.
jonas’
to be honest, I somewhat assumed that they were specified due to the wildcard in the IANA registry
j.rhas joined
SamWhited
Oh, interesting; I could be wrong. I didn't see an RFC though, does the IANA registry link to a document?
I guess technically this is just a reservation of the SCRAM- prefix
SamWhited
Oh, yah, that's just a reservation for the entire familyl
jonas’
Note to future SCRAM-mechanism designers: each new SASL SCRAM
mechanism MUST be explicitly registered with IANA within the SASL
SCRAM Family Mechanisms registry.
jonas’
yeah
jonas’
that’s pretty explicit
jonas’
also a very convincing argument to remove support
jonas’
SamWhited, there you go https://github.com/horazont/aiosasl/issues/6
jonas’
the "minimum iteration count" parameter of the registry is interesting, too
Yagizahas left
SamWhited
♡ thanks; between security concerns and standardization concerns this makes me very happy.
Dave Cridlandhas left
Yagizahas left
dwdhas joined
Maranda
hm, interesting, well the implementation in Metronome is SHA digesting algorithm agnostic as well so it doesn't matter.
SamWhited
It matters in the sense that this is auth which is extremely important and security sensitive. In crypto, tiny insubstantial changes can often have a big impact that we don't forsee; it's not exactly intuitive. I doubt this is a problem, but it doesn't help to add more algorithms for no reason and it *possibly* hurts. Might as well just leave it to the experts and not make up your own crypto.
SamWhitedhas huge pet peeve about this sort of thing
jonas’
me too, normally, but I hadn’t seen this as "making up new crypto" to be honest
SamWhited
Well, "changing existing crypto", then. I agree, I can't imagine this possibly causes any problems, but it's also not necessary so why take the risk?
jonas’
yeah
Maranda
SamWhited, I didn't mean that way :P
SamWhited
Heh, cool; sorry I'm being grumpy about it.
jonas’
’tis fine
SamWhited
This is just the kind of thing where I expect the longer hash will cause some buffer operation to behave slightly differently on some architecture and then suddenly you have a side channel, or something.
Maranda
I didn't know they weren't defined either, blame google for returning result on SCRAM-SHA-384 and SCRAM-SHA-512✎
SamWhited
(well, I don't "expect" it, but I could see it happening)
Maranda
I didn't know they weren't defined either, blame google for returning results on SCRAM-SHA-384 and SCRAM-SHA-512 ✏
jonas’
that doesn’t make sense to me, actually
jonas’
that would be a fundamental problem of pbkdf2 then
jonas’
which I think we would know about
jonas’
(we = the cryptography community, thus warning louder against it and deprecating pbkdf2 for that reason)
SamWhited
I was just making up a random example, I agree it's not likely