XSF Discussion - 2019-01-03

  1. lnj has left
  2. moparisthebest has joined
  3. frainz has left
  4. frainz has joined
  5. vanitasvitae has joined
  6. lovetox has left
  7. redditor has left
  8. oli has joined
  9. l has left
  10. vanitasvitae has left
  11. vanitasvitae has left
  12. ThibG has left
  13. Half-Shot has joined
  14. benpa has joined
  15. _purple_bot has joined
  16. uhoreg has joined
  17. Matthew has joined
  18. vanitasvitae has joined
  19. benpa has joined
  20. uhoreg has joined
  21. _purple_bot has joined
  22. Matthew has joined
  23. j.r has joined
  24. j.r has left
  25. pep. s2s:show('hardteckno.com') | OK: Total: 60 outgoing, 48 incoming connections
  26. pep. bug? feature?
  27. pep. it's the exact same numbers as if I did without the domain, just that the connections don't get listed
  28. pep. oops.
  29. pep. wrong room
  30. vanitasvitae has left
  31. vanitasvitae has joined
  32. Half-Shot has joined
  33. oli has joined
  34. steven has left
  35. Lance has left
  36. lskdjf has joined
  37. l has joined
  38. Lance has joined
  39. vanitasvitae has left
  40. vanitasvitae has joined
  41. vanitasvitae has left
  42. vanitasvitae has joined
  43. Lance has left
  44. Lance has joined
  45. Ann has left
  46. Ann has joined
  47. Nekit has joined
  48. oli has joined
  49. Lance has left
  50. moparisthebest has joined
  51. daniel has left
  52. daniel has joined
  53. Lance has joined
  54. Lance has left
  55. UsL has joined
  56. sezuan has left
  57. lumi has left
  58. chunk has joined
  59. chunk has joined
  60. ThibG has joined
  61. jjrh has left
  62. Kev has left
  63. Kev has left
  64. Chunk has joined
  65. steven has left
  66. labdsf has left
  67. labdsf has joined
  68. alacer has joined
  69. igoose has left
  70. igoose has joined
  71. Kev has joined
  72. alacer has left
  73. waqas has joined
  74. moparisthebest has left
  75. moparisthebest has joined
  76. Yagiza has joined
  77. ta has left
  78. alacer has joined
  79. steven has joined
  80. alacer has left
  81. labdsf has left
  82. labdsf has joined
  83. alacer has joined
  84. lovetox has joined
  85. krauq has joined
  86. krauq has joined
  87. Chunk has joined
  88. labdsf has left
  89. labdsf has joined
  90. labdsf has left
  91. labdsf has joined
  92. moparisthebest has left
  93. Kev has left
  94. Kev has joined
  95. moparisthebest has joined
  96. waqas has left
  97. waqas has joined
  98. lorddavidiii has joined
  99. waqas has left
  100. labdsf has left
  101. labdsf has joined
  102. Ann has left
  103. Ann has joined
  104. ta has left
  105. Ann has left
  106. alacer has left
  107. rion has joined
  108. ThibG has left
  109. Ann has joined
  110. rion has left
  111. waqas has joined
  112. Nekit has joined
  113. moparisthebest has joined
  114. moparisthebest has joined
  115. krauq has joined
  116. goffi has joined
  117. labdsf has left
  118. Steve Kille has left
  119. oli has joined
  120. Steve Kille has joined
  121. pep. has left
  122. mrdoctorwho has left
  123. mrdoctorwho has joined
  124. labdsf has joined
  125. winfried has joined
  126. winfried has joined
  127. Andrew Nenakhov has left
  128. krauq has joined
  129. genofire has left
  130. ThibG has joined
  131. mrdoctorwho has left
  132. Guus has left
  133. Guus has left
  134. l has joined
  135. moparisthebest has joined
  136. steven has left
  137. Andrew Nenakhov has joined
  138. waqas has left
  139. l has left
  140. krauq has joined
  141. Guus has left
  142. l has joined
  143. vanitasvitae has left
  144. genofire has left
  145. genofire has joined
  146. pep. has joined
  147. lskdjf has joined
  148. Ann has left
  149. krauq has joined
  150. Maranda has joined
  151. waqas has joined
  152. Half-Shot_ has joined
  153. Half-Shot_ has left
  154. Ann has joined
  155. lorddavidiii has left
  156. Yagiza has left
  157. ralphm has left
  158. neshtaxmpp has joined
  159. freddo has left
  160. Ge0rG Why is "Simple IoT Client" listed in the XMPP Clients list, again?
  161. Ge0rG It also looks like its link is broken.
  162. jonas’ broken link -> expire it immediately
  163. lnj has joined
  164. Ge0rG What can I do to expire Pidgin?
  165. Ge0rG > waher.se took too long to respond. Might be a temporary failure.
  166. Ge0rG > broken link -> expire it immediately how long do I need to DDoS pidgin.im to get it removed?
  167. jonas’ hrhr
  168. waqas Ge0rG: Try it and let us know how long it takes.
  169. oli has joined
  170. Ge0rG is `<span style=" font-weight:600;">` correct XHTML-IM for bold?
  171. Zash If you allow style
  172. Ge0rG how is a client supposed to know that 600 = bold?
  173. jonas’ that’s how bold is defined
  174. jonas’ bold is just an alias for 600 or something
  175. waqas Ge0rG: you need a `</span>` for it to be valid
  176. jonas’ bold Bold font weight. Same as 700.
  177. jonas’ https://developer.mozilla.org/en-US/docs/Web/CSS/font-weight
  178. Ge0rG So 600 is not-quite-bold?
  179. jonas’ 600 Semi Bold (Demi Bold)
  180. Ge0rG poezio will display as bold if you have font-weight:anything in the CSS
  181. waqas font-weight: normal == 400
  182. jonas’ m(
  183. waqas Check out values here: https://developer.mozilla.org/en-US/docs/Web/CSS/font-weight#Values
  184. Andrew Nenakhov has joined
  185. jonas’ https://developer.mozilla.org/en-US/docs/Web/CSS/font-weight#Common_weight_name_mapping rather this table, no?
  186. waqas Yeah
  187. waqas That's a nice piece of documentation
  188. Ge0rG Now I remember again why I hate HTML
  189. waqas Ge0rG: Why exactly? :)
  190. jonas’ first, this is CSS
  191. jonas’ second, what’s wrong with its
  192. jonas’ second, what’s wrong with it?
  193. Ge0rG jonas’: CSS is a part of HTML.
  194. jonas’ CSS is commonly used with HTML, but you can use HTML without CSS just fine, and you can use CSS with things which are not HTML (e.g. GTK or SVR)
  195. Ge0rG You know what they said about PHP? A fractal of bad design.
  196. jonas’ CSS is commonly used with HTML, but you can use HTML without CSS just fine, and you can use CSS with things which are not HTML (e.g. GTK or SVG)
  197. jonas’ I don’t see that here though
  198. waqas Ge0rG: You need to make peace with the fact that everything sucks, and that is unlikely to ever change :)
  199. Andrew Nenakhov has left
  200. Andrew Nenakhov has joined
  201. Ge0rG waqas: I can't make peace with it, I can merely try to rant less.
  202. Andrew Nenakhov has joined
  203. Andrew Nenakhov has left
  204. Andrew Nenakhov has joined
  205. Andrew Nenakhov has left
  206. Andrew Nenakhov has joined
  207. waqas has left
  208. oli has joined
  209. Andrew Nenakhov has left
  210. Andrew Nenakhov has joined
  211. lorddavidiii has joined
  212. l has joined
  213. l has joined
  214. mrDoctorWho has joined
  215. vanitasvitae has left
  216. igoose has left
  217. Maranda has joined
  218. alacer has joined
  219. steven has joined
  220. alacer has left
  221. Zash has left
  222. Zash has left
  223. !xsf_Martin has joined
  224. frainz has left
  225. j.r has joined
  226. frainz has joined
  227. Andrew Nenakhov has joined
  228. Zash has left
  229. Andrew Nenakhov has joined
  230. Zash has left
  231. oli has joined
  232. krauq has joined
  233. 404.city has joined
  234. krauq has joined
  235. 404.city has left
  236. oli has joined
  237. benpa has joined
  238. uhoreg has joined
  239. _purple_bot has joined
  240. Matthew has joined
  241. labdsf has left
  242. labdsf has joined
  243. igoose has joined
  244. valo has joined
  245. j.r has joined
  246. oli has joined
  247. vanitasvitae has left
  248. oli has joined
  249. Andrew Nenakhov has left
  250. Andrew Nenakhov has joined
  251. Half-Shot has joined
  252. Half-Shot has left
  253. vanitasvitae has left
  254. jonas’ who’s responsible for the registries? (<https://github.com/xsf/registrar>)
  255. lumi has joined
  256. vanitasvitae has left
  257. vanitasvitae has left
  258. vinx55 has joined
  259. j.r has joined
  260. krauq has joined
  261. daniel has joined
  262. vinx55 has left
  263. nyco has left
  264. Yagiza has joined
  265. APach has left
  266. APach has left
  267. alacer has joined
  268. krauq has joined
  269. igoose has left
  270. igoose has joined
  271. nyco has joined
  272. vanitasvitae has left
  273. nyco has left
  274. lskdjf has joined
  275. labdsf has left
  276. Yagiza has left
  277. Yagiza has joined
  278. l has left
  279. Wiktor has left
  280. j.r has joined
  281. Guus jonas’ Until there is a perceived need for a more formal governing body, the functions of the XMPP Registrar shall be managed by the XMPP Extensions Editor [6]
  282. Guus https://xmpp.org/extensions/xep-0053.html
  283. Marc Laporte has joined
  284. thorsten has left
  285. thorsten has joined
  286. Marc Laporte has left
  287. labdsf has joined
  288. ralphm set the topic to XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
  289. ralphm bangs gavel
  290. ralphm 0. Welcome + Agenda
  291. ralphm Hi!
  292. ralphm nyco sent regrets
  293. jonas’ Guus, thx :)
  294. Seve Hi
  295. Guus hello
  296. ralphm MattJ?
  297. ralphm Anything to add to the agenda?
  298. Seve Not me
  299. Guus I just added things to Trello
  300. Guus trademark, email server status
  301. Seve can't get to a computer but is on his phone
  302. ralphm Ok
  303. ralphm Me too
  304. ralphm 1. Commitments
  305. waqas has joined
  306. waqas has left
  307. Guus eyes dwd
  308. ralphm Vacation is almost over here, making more time for all things XMPP this month.
  309. APach has joined
  310. ralphm Including finally getting the items with Peter sorted.
  311. waqas has joined
  312. ralphm 2. FOSDEM / Summit
  313. ralphm Guus, any news on hotel?
  314. Guus I've send a request for a quote, but have not received one yet.
  315. Guus I expect that to happen today or tomorrow
  316. Guus after which I'll forward it to the mailing lists, much like we did last year.
  317. ralphm Otherwise, let's sync tomorrow on all the things
  318. Guus (I'm getting a quote from Thon EU again)
  319. Guus I've also tried to reach out to the same restaurant for the XSF Dinner
  320. Guus couldn't get someone on the phone, but left a message
  321. Guus that's it for now.
  322. ralphm Ok
  323. ralphm Thanks
  324. ralphm 3. GSoC
  325. Seve Thank you Guus
  326. !xsf_Martin has joined
  327. Guus Joachim expressed some interest in participating, but communication seems to have broken down over the holidays.
  328. Guus (GSoC, that is)
  329. Guus I'll follow up with him
  330. Guus no others have stepped forward.
  331. Guus Let's aim to have a go/no go in next weeks meeting?
  332. ralphm Ok, maybe good to repeat the request now holidays are over
  333. Guus I don't like battering people. I'll publicly follow up Joachim. If someone else is interested, they can chime in.
  334. ralphm Ok
  335. MattJ Hey
  336. Seve Good
  337. MattJ Sorry, here now
  338. ralphm 5. JabberSpam trademark
  339. Guus hi MattJ
  340. ralphm (hi)
  341. mightyBroccoli has left
  342. ralphm Good comments, Guus
  343. Guus Ge0rG has send in an application, that has had little response. He requests action.
  344. ralphm I'd still like to get guidance from Peter
  345. Ge0rG Peter acknowledged my request some two weeks ago.
  346. ralphm Yes, I got a copy
  347. Guus interestingly, the website speaks of a Trademark WT
  348. Guus who's that?
  349. Ge0rG IIRC, last time I asked for a trademark license, it ended up being voted by Board (after Peter's principal approval)
  350. ralphm Currently, just Peter, I think.
  351. Guus (It does not explicilty name it a work team, but it suggests that there's a group of people, plus the executive directory, that are said team).
  352. ralphm Director
  353. Guus sorry 🙂
  354. mightyBroccoli has joined
  355. MattJ The agreement does mention a "trademark committee" iirc
  356. Guus that might be it, yes.
  357. ralphm Adding it to the list of topics.
  358. ralphm Ge0rG: trying to get that resolved soon
  359. Guus I just created a small PR to the website, that should get Peters attention too
  360. Guus (regarding pending trademark applications)
  361. !xsf_Martin has left
  362. Guus Hopefully, we can gain some traction that way too.
  363. ralphm 6. E-mail issue for seve
  364. Guus I'm not sure if this is just for Seve
  365. Ge0rG Further discussion has shown that I might need _two_ trademark permissions actually, one for the Org (requested), and another one for the "Jabber Spam Fighting Manifesto"
  366. !xsf_Martin has joined
  367. ralphm I saw some discussion and request to remove from RBL
  368. Guus I don't know what RBL is - or if we indeed do have an issue
  369. ralphm Seve: did you get nyco's email?
  370. Guus but for several weeks, people seem to have email related issues
  371. Guus Seve is one, but mail from the wiki (on account creation) do not show up either
  372. Guus unsure if it is related
  373. ralphm If this keeps up we may have to start sending through a service like MailGun, I'll ask the iteam what their strategy is.
  374. Seve ralphm: still no new emails from XSF lists, I was thinking on waiting for a new email to check if I get them now
  375. Guus I'm hoping that iteam can give some kind of status update.
  376. ralphm Seve: ok, that was sent just before this meeting
  377. Guus if only to confirm or reject the notion that we have issues.
  378. ralphm Kev, intosi?
  379. Seve ralphm: then no, I still do not get them
  380. MattJ I think someone will have to check the mail server log again then
  381. ralphm Aye
  382. ralphm Ok, taking that up with iteam.
  383. Seve Thank you for this, I really appreciate that
  384. ralphm 7. AOB?
  385. Ge0rG I have one AOB
  386. Guus no AOB from me.
  387. MattJ None here
  388. Ge0rG Tomorrow is our 20th birthday. Somebody should give a party. https://slashdot.org/story/99/01/04/1621211/open-real-time-messaging-system
  389. ralphm Indeed.
  390. ralphm Of course the party will be distributed, with Disco and lots of Jingle.
  391. Seve :)
  392. Ge0rG ralphm: are you going to MIX the drinks?
  393. Guus musthinkofaMIXjoke...
  394. Guus thanks.
  395. ralphm Ge0rG: sure. I'm more Pub than Sub.
  396. Ge0rG that sounds rather zimpy.
  397. Guus any practical idea's on commemorating the milestone?
  398. Guus apart from bad puns, obviously.
  399. Ge0rG Guus: somebody should write a blog post. I suggest "the half-life of instant messengers"
  400. ralphm I had great ideas and no time, so that didn't work out.
  401. Link Mauve I think we wanted to organise one with Nÿco this year.
  402. Ge0rG I'd volunteer, except -EBUSY
  403. waqas has left
  404. Guus that goes for everyone, I'm afraid.
  405. ralphm But we might be able to do something around the Summit
  406. Ge0rG maybe we can crowdsource it? Collect the lifespans of IMs in a pad
  407. mrDoctorWho Where does gajim keep the passwords on Windows?
  408. Ge0rG I can manage an hour or two tomorrow to write it down
  409. mrDoctorWho Oops
  410. mrDoctorWho Sorry, wrong chat
  411. Zash lol https://slashdot.org/comments.pl?sid=15607&cid=2048739
  412. ralphm Hehe
  413. ralphm Ok, with that.
  414. ralphm 8. Date of Next
  415. ralphm +1W
  416. MattJ wfm
  417. ralphm 9. Close Thanks all!
  418. Seve +1
  419. Guus until we meet again!
  420. ralphm bangs gavel
  421. Seve Thank you!
  422. ralphm set the topic to XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
  423. Ge0rG Zash: XMPP, a story of NIH
  424. Zash Ge0rG: All of humanity probably
  425. Ge0rG So does anyone volunteer to collect data about IM networks/apps and their lifetimes?
  426. Zash https://en.wikipedia.org/wiki/Instant_messaging#History
  427. Ge0rG Zash: that's very coarse
  428. Ge0rG but maybe a full history of all abandoned networks will be less funny of a read than I imagine
  429. labdsf has left
  430. Ge0rG Oh, https://waher.se/IoTGateway/SimpleIoTClient.md is back up
  431. vanitasvitae has left
  432. jjrh has left
  433. steven has left
  434. moparisthebest ha I didn't know that "The term "Instant Messenger" is a service mark of Time Warner[11] and may not be used in software not affiliated with AOL in the United States."
  435. labdsf has joined
  436. neshtaxmpp has joined
  437. daniel has joined
  438. steven wtf is that true??
  439. MattJ Things like that are why we ended up with the term "roster", when at the time everyone was talking about your "buddy list(TM)" (e.g. https://www.bizjournals.com/sanjose/stories/1999/05/31/story7.html )
  440. lovetox has joined
  441. krauq has joined
  442. Ge0rG Also why we ended up with XMPP.
  443. UsL has left
  444. Zash Trademarks are why we can't have nice things
  445. UsL has joined
  446. UsL has left
  447. UsL has joined
  448. UsL has left
  449. jjrh has left
  450. Ge0rG trademarks don't expire, right?
  451. MattJ They do
  452. Zash No they don't
  453. MattJ i.e. if you register a trademark you have to renew it after ~10y
  454. jjrh has left
  455. Zash Right
  456. Zash Which they'll do, forever
  457. Ge0rG http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4802:35rtkj.4.26
  458. Zash > This search session has expired. Please start a search session again by clicking on the TRADEMARK icon, if you wish to continue.
  459. Ge0rG It's just the "BUDDY LIST" result, it's still registered to AOL
  460. 404.city has joined
  461. Zash You also have to actively protect it as well, right? Ie go after people using it without permission and stuff.
  462. Zash Hm, but then I'm not sure which is whic hof ™ and ®
  463. Ge0rG 🤷
  464. Ann has left
  465. edhelas has left
  466. lovetox has joined
  467. edhelas has joined
  468. daniel has joined
  469. 404.city has left
  470. Ann has joined
  471. sezuan has left
  472. thorsten has left
  473. waqas has joined
  474. moparisthebest has left
  475. vaulor has left
  476. ta has left
  477. labdsf has left
  478. lskdjf has left
  479. lskdjf has joined
  480. Wiktor has left
  481. pep. https://slashdot.org/comments.pl?sid=15607&cid=2048734 "clients are quite easy to write", fast forward 20 years later
  482. alacer has left
  483. Wiktor has left
  484. thorsten has joined
  485. l has joined
  486. lskdjf has left
  487. Zash has left
  488. j.r has joined
  489. jjrh has left
  490. jjrh has left
  491. daniel has joined
  492. jjrh has left
  493. lskdjf has joined
  494. Zash has left
  495. jjrh has left
  496. vanitasvitae has left
  497. jjrh has left
  498. lovetox has joined
  499. Andrew Nenakhov Clients are indeed easy to write. It's just good clients that aren't.
  500. jonas’ true
  501. tux has joined
  502. alacer has joined
  503. jjrh has left
  504. lovetox also 20 years ago there was no MAM and Carbons no phones etc
  505. efrit has joined
  506. lovetox no encryption, so it was basically, download the roster, and send a message
  507. Steve Kille has left
  508. Steve Kille has left
  509. genofire has left
  510. genofire has left
  511. Steve Kille has joined
  512. goffi Hi, happy new year everybody. In XEP-0060, if I have an item with id "abc", I publish an other item with it "def", then I publish a new item with the first id ("abc") which will overwrite it. if I then request items with max=1, should I get "abc" or "def" ? § 7.1.2 says that item is overwritten and § 6.5.7 says that items returned are the "most recent". So I guess it should be "abc", right ?
  513. genofire has joined
  514. goffi ralphm: ^
  515. pep. I think that question was also raised by edhelas a few months ago(?) I don't know if there's a clear answer
  516. Zash If you think about it as publishing a new item that just happens to also delete an older item, then it makes sense that the 'abc' one is the last item you get
  517. Guus I'd argue, without looking at the xep, that something that's overwritten is not 'new'
  518. goffi I got the same 2 thoughts, so it's confusing because 2 options could make sense.
  519. jjrh has left
  520. goffi the XEPs states that the mosts recents items must be returned, so even if you overwritte, the "abc" one is the more recent.
  521. goffi most*
  522. Guus The identity is not new
  523. goffi yes, but the item is
  524. Guus Is it new, or is the old one changed?
  525. Zash I prefer the way where I don't have to throw out all the append-only assumptions from everywhere
  526. waqas has left
  527. alacer has left
  528. alacer has joined
  529. erkanfiles has joined
  530. steven So I've coined this idea a few times the last few weeks in random MUCs, but I'm not sure how to approach taking it further than an idea: I (and I'm sure others) have been thinking quite a bit about OMEMO key fetching and how easy it is for server admins to just serve extra keys for contacts etc. I don't think there is a single client that does not automatically accept all keys by default. (Conversations has an "expert setting" that lets you turn of accepting new keys. I think Gajim has something similar.) I've been thinking about PGP to help improve this. My personal main objection to using PGP for encrypted messaging is that I prefer to not have my private key on my device at all times (in unencrypted form) like you need for XEP-0374. Instead, one could sign OMEMO keys with a PGP key to just have to do this once for each new device. In theory, this would not need to have your PGP key on a mobile device, for example. Since you could verify the OMEMO key fingerprint on on your desktop and then sign it there. On the mobile device you only need to import your own public key and signed public keys of your contacts.
  531. pep. Hah, Syndace ^
  532. steven Not sure I'm missing something that makes this hard to use. Also I don't know if PGP is still used at all.
  533. oli why not encrypt the messages with pgp?
  534. pep. We've been discussing with Syndace a bit and trying to find solutions about your concerns on the server being able to inject devices etc.
  535. steven oli, because this needs the pgp private key to be available at all times
  536. steven OMEMO keys are single-use-case and can easily be replaced when confiscated
  537. pep. The idea with PGP is that the key would be stored on the server and the client can unlock it, but that has other pitfalls
  538. steven A PGP key is kinda like your ultimate beacon of trust 😀 We use it a lot at work f.e. for automatic deployments etc
  539. steven So I never have my laptop or phone have it unencrypted and need to enter a lenghty passphrase for every use.
  540. pep. (Well technically it could be done any way, but that's what I hear the most, that makes the most sense UX-wise)
  541. steven I don't think it's nice to type a passphrase for every message 😀
  542. pep. Not for every message
  543. Wiktor steven: good idea, but this would require OpenKeychain on Andoird to verify the signature and/or sign the statement
  544. steven pep., I don't know how XEP-0374 works, tbh. Does it just use one master key all the time? Or does it use ephemeral subkeys or so?
  545. waqas has joined
  546. steven Wiktor, to verify yes. But to sign your own mobile key, you could do manual fingerprint verification with a desktop client like Gajim and sign your mobile's OMEMO key there and send the signature to the server. (Just thinking out loud here, though.)
  547. pep. You choose? I don't know it that much either, I'm definitely not the reference here. I also know other people have concerns about 374, but I'm waiting on them to tell because I don't have the knowledge to back these claims
  548. Wiktor Yeah, actually Conversations already has similar code but using X.509 instead of OpenPGP
  549. pep. steven: so you want cross-signing basically right
  550. pep. I think the way you're trying to implement it is going a bit far
  551. mrDoctorWho has joined
  552. steven pep., yeah well it's also possible of course to sign on the mobile client
  553. steven still you'd have to enter the passphrase only once
  554. steven instead of very often/every message?
  555. UsL has joined
  556. mrDoctorWho has joined
  557. j.r has joined
  558. Syndace I saw you proposing that before but I didn't see a way to do that in a way which is not overkill.
  559. Syndace But now that I think about it again you could probably do it without too much complexity
  560. Syndace You might not even need GPG itself, rather a master key of any soet
  561. Syndace But I'm busy right now, I'll take some time to think about it later/tomorrow
  562. steven Syndace, well, "a master key of any sort" isn't much better. The thing is that quite some people already have some form of web of trust with PGP keys and verified identities. (The company I work for is fully remote so at our annual offsite we do a quick PGP key signing ritual. From then on we can f.e. introduce a new coworker by having him meet a single colleague that signs his key.)
  563. Syndace has joined
  564. efrit has left
  565. steven Basically PGP is identity-based while OMEMO is device-based. So to tie a device to an identity, it makes sense to use PGP I think.
  566. Ge0rG steven: PGP is a can of worms, especially but not exclusively regarding UX. Not even hardcore cryptowhores figure out all of its quirks
  567. Syndace has joined
  568. Ge0rG I like the matrix idea of a master olm(?) key.
  569. steven Ge0rG, true. But it's an accepted default.
  570. steven Ge0rG, many people say the same about XMPP 😀
  571. Ge0rG No need to mix different crypto libraries with each other.
  572. Ge0rG steven [19:58]: > Ge0rG, true. But it's an accepted default. Nope. S/MIME is the accepted default.
  573. Ge0rG The PGP web of trust is just silly. I've verified your identity, therefore I trust you to verify other people's identities?
  574. Ge0rG I think that PGP has a place in xmpp indeed, but without OMEMO then.
  575. Tobias has joined
  576. Ge0rG Just have an account key, exchange it with your friends, share it between all your devices, problem solved. You leak your key? All of your chat history is compromised.
  577. Ge0rG You lose your device? Lucky you if you still have the key / recovery password. Then you'll regain all your logs.
  578. Ge0rG OMEMO trust management is just madness. What do you do if you verified one of your friend's devices, but none of your own other device keys?
  579. Ge0rG It barely works as long as you have exactly one device and it doesn't get lost, stolen or broken.
  580. steven Ge0rG, I don't think you have much experience using OMEMO..
  581. steven I have the Conversations "paranoid mode" where I have to manually approve new device keys and it works fine.
  582. Andrew Nenakhov I don't like the whole idea of omemo/otr. The only improvement in it over gpg is PFS but too many drawbacks. And gpg is good enough to stop any realistic state wide spying efforts. So PFS is needed to those who REALLY has reasons not to be spied and MitMed and traffic decrypted, and we know all too well who these people are. :-/
  583. steven When I first start chatting with a new contact, I will just blindly hit "ok" (I'm not gonna call them to spell it out for me), but after that when I get sent new device keys, I just ask them first if they started using another client.
  584. steven So yeah in theory the admin could still hijack the key on the moment someone starts using a new client. That's why I'd prefer to just have my contacts' PGP keys and have them sign their OMEMO keys.
  585. Andrew Nenakhov So, which keys could admin hijack?
  586. Ge0rG steven [20:05]: > I have the Conversations "paranoid mode" > When I first start chatting with a new contact, I will just blindly hit "ok" (I'm not gonna call them to spell it out for me) I rest my case.
  587. Andrew Nenakhov If he hijacks your public keys, then what?
  588. steven Andrew Nenakhov, the admin could install a module that whenever a user adds a new device, it broadcasts a different key instead that it owns itself. Because I described that I would only ask "did you start using a new client?" without also verifying the fingerprint.
  589. steven Ideally I just send them the fingerprint using their first OMEMO key to verify.
  590. Ge0rG Andrew Nenakhov: the server Admin could add another device key to your account, or replace your key with his own.
  591. steven Andrew Nenakhov, he could but only if he's already doing that at the moment of the first encounter.
  592. Ge0rG steven: how do you ask your friends whether they got a new device? With the old key? Via SMS?
  593. steven Ge0rG, with the old key(s).
  594. steven Usually it's someone that opened the webchat for the first time or downloads a desktop client or so.
  595. Ge0rG steven: so if they lost their phone, you are out of luck.
  596. steven So yeah I should ask them to verify the fingerprint. But I don't have such highly sensitive conversations yet. Just thinking that in case I have, I'd prefer PGP instead of manually messing with fingerprints.
  597. edhelas has left
  598. steven Ge0rG, if they lost their phone and have never used a desktop/web client, yes.
  599. moparisthebest how do you verify their PGP key though?
  600. Ge0rG steven [20:11]: > in case I have, I'd prefer PGP instead of manually messing with fingerprints. Now with *that* I can totally agree.
  601. steven (Also note that I'm the server admin of the server my social network is on, so I should have been targeted by a hacker for shady things to happen.)
  602. steven moparisthebest, well, you only have to do that once. And you could delegate that to people you trust to do it thoroughly.
  603. steven Also for higher-profile people, their PGP keys might be publicly known and signed by a bunch of people.
  604. Andrew Nenakhov steven, that what fingerprints check is for, so you should verify your contact fingerprints via an independent means of communication.
  605. Wiktor You already specify your own PGP key in C, one can check if your contacts PGP key is signed by you
  606. steven Andrew Nenakhov, or with a signature of an authority you trust.
  607. andrey.g has left
  608. Andrew Nenakhov Cool. So this authority could be compromised and all your struggle and pain with encryption will be for nothing.
  609. Ge0rG There is no trusted authority on PGP. This is what S/MIME is for...
  610. steven Like say some guy from The Guardian contacts you. He uses an OMEMO key. Most likely, his PGP key will be known, online on several websites and signed by people from other newspapers etc. If he signs the OMEMO key with that PGP key that I can find in multiple places with multiple signatures from other keys I can find in even more independent places, I would personally rest assured.
  611. Andrew Nenakhov It never ceases to amaze me how people want security and privacy but not the inconveniences that mandatory come with them.
  612. steven Andrew Nenakhov, there's several levels of privacy of course. Of course I'd like the conversations with my friends to be private from petty hackers and bad admins getting government orders. But I know that these conversations are not safe from high-profile cyberspecialists. That's fine. If I'm about to become a whistleblower and talking with a newspaper, I'll up my security and me tolerace to the nuisances that come with it.
  613. andrey.g has joined
  614. pep. > Ge0rG> There is no trusted authority on PGP. This is what S/MIME is for... Trusting that authority is another story. DANE anybody? Does S/MIME even work with that
  615. Ge0rG steven: you've heard of https://evil32.com/ already?
  616. Ge0rG pep.: there was a proposal
  617. Ge0rG I'd love to have an implementation of that.
  618. Ge0rG pep.: but not just the fingerprint, store the whole certificate in DNS
  619. edhelas has left
  620. steven > steven: you've heard of https://evil32.com/ already? Ge0rG, hmm, I don't use the shortIDs personally. Not sure how, but my `gpg --list-keys` prints full IDs.
  621. Ge0rG steven: the point is that the key of your journalist is fake, together with all the keys that signed it
  622. Wiktor steven: defaults of gpg change over time, no automated system should use short fingerprints (OpenKeychain follows this)
  623. edhelas has left
  624. Wiktor Ge0rG: not necessarily, first of all legacy sigs used long key ids not short 32 bit but for years the full fingerprint is embedded in the signature
  625. Ge0rG Why isn't anyone complaining that HTTP upload to a MUC exposes your domain to all muc participants?
  626. Link Mauve Ge0rG, because Conversations displays a picture instead of an URL.
  627. Ge0rG Wiktor: Chance fifty fifty
  628. moparisthebest your avatar exposes things too
  629. Link Mauve So people are not aware of that.
  630. moparisthebest probably a bunch of other things
  631. Link Mauve moparisthebest, uh, no, it doesn’t.
  632. moparisthebest in a different way, it lets me tell 'dwd' in one channel is the same as 'Dave' in another channel etc etc
  633. moparisthebest if I happen to have the same person in my roster, that too
  634. Ge0rG Everybody should use the same avatar!
  635. Wiktor Ge0rG: this is 4 years old: https://gnupg-devel.gnupg.narkive.com/Z0EFUBU7/issuer-fingerprint-was-vanity-keys
  636. Ge0rG Wiktor: I'm speaking about obtaining a key out of band
  637. edhelas has left
  638. Wiktor > Wiktor: Chance fifty fifty > Wiktor: I'm speaking about obtaining a key out of band ?
  639. Wiktor OpenKeychain uses qr codes, full fingerprint
  640. lorddavidiii has left
  641. Zash has left
  642. daniel has left
  643. daniel has joined
  644. lorddavidiii has joined
  645. winfried has joined
  646. ta has left
  647. ta has left
  648. ta has joined
  649. Ge0rG But you can't scan the fingerprint of some journalist
  650. j.r has joined
  651. 404.city has joined
  652. Wiktor This one uses full fingerprint https://theintercept.com/staff/micah-lee/
  653. MattJ has left
  654. mrDoctorWho has left
  655. l has joined
  656. oli Ge0rG: i complain all the time (in my head)
  657. oli regarding http upload
  658. lovetox steven, 1. Gajim doesnt blind trust, but every single user tells me i should implement it 2. you just exchange one verification for another, you dont want to verify the omemo fingerprint, and trust an pgp signature on it, but next you dont want to verify the pgp fingerprint, then you just trust some names on a list that maybe work in a newspaper
  659. lovetox thats not how it works, if you want to be really secure, you have to put in the work
  660. lovetox there is no magic solution how a computer can tell you that you can absolutly be sure that on the other end is Human X
  661. lovetox at somepoint, someone has to check this in the real world
  662. oli video
  663. Wiktor lovetox, I think steven mentioned that their company's employees verify their PGP fingerprints in real world
  664. lovetox and then the next thing you have to realize is, that clients are not developed for 1% paranoid people
  665. lovetox Wiktor, yeah so they know how this works, then they can do it with omemo fingerprints
  666. lovetox all of your pgp signing theorys are way to complex to implement, its already hard to get omemo as is working in a usable way
  667. Wiktor yes, but for PGP once you sign a key the person can rotate subkeys freely and the trust is retained
  668. Wiktor with OMEMO there is no master key to hold device keys together
  669. Wiktor just clarifying what's the scope, I actually had an idea how to implement it outside clients using PGP but without modification from XMPP client developers using verified XMPP URIs (what basically is in the OMEMO QR code)
  670. lovetox And? do you see anyone using pgp in xmpp?
  671. Ge0rG Wiktor [21:16]: > with OMEMO there is no master key to hold device keys together And you have O(n*m) manual key management overhead
  672. Wiktor pgp has two components, identity verification and signing/encryption, pgp for xmpp as is today is used only for signing/encryption, not identity verification
  673. Ge0rG Where n is your devices, and m the other users.
  674. Wiktor you already do M when you verify your users OMEMO keys?
  675. Wiktor the problem is you need to repeat it for every new device key
  676. lovetox Thats the whole story of signal, no master key, its a feature that enables you easily add new devices
  677. lovetox that is what makes it usable for the masses
  678. lovetox now you want to "secure" that down to pgp levels
  679. lovetox just use pgp
  680. Wiktor there is no way to use pgp identity verification in xmpp currently
  681. Wiktor pgp fingerprints are transferred in band in all pgp xeps I've seen
  682. ta has joined
  683. lovetox xmpp is just a transport protocol, everything pgp offers you can use
  684. lovetox its like email in that sense, it transports the encrypted payload, you can verify around that with keyservers or whatever crazy construct you think up
  685. Yagiza has left
  686. Wiktor verification of pgp keys can be done with QR codes like with OMEMO and with OpenKeychain, nothing uses that so bascially pgp in xmpp as it is now relies on server telling the fingerprints to clients, there is no paranoid mode like in OMEMO
  687. Wiktor but I think what steven proposed (as far as I understood) would be to use pgp keys that already have trust between them (bidirectional signing) to sign OMEMO device keys
  688. lovetox and how do i get the public key to verify the sign?
  689. lovetox dont tell me from a server :D
  690. Wiktor you get the fingerprint by scanning QR code, this is identical to OMEMO
  691. Wiktor see: https://github.com/open-keychain/open-keychain/wiki/QR-Codes
  692. lovetox ok, so you dont want to scan the omemo qr code, because thats somehow to much work, thats why we sign the omemo key, then scan the pgp key that this was sign with
  693. Wiktor I don't want to scan omemo keys every time contact changes devices, pgp key is stable as it is the root of trust
  694. lovetox to me this sounds like you just moved your problem and added complexity
  695. lovetox and how does a user add a new device, where does he store his secret master pgp key?
  696. moparisthebest you also don't really have to involve PGP to get the same thing right?
  697. lovetox on the phone he just lost?
  698. moparisthebest can't the device key you trust sign new device keys, and let you know about that?
  699. lovetox this is just exactly what people do since 20 years with pgp
  700. lnj has left
  701. frainz has left
  702. lovetox having a masterkey and singing sub keys
  703. Wiktor lovetox, usually PGP master keys are more protected than offline keys like OMEMO, e.g. my signing/encryption keys are on hardware tokens, master key is on an airgapped offline machine
  704. Wiktor lovetox, exactly
  705. lovetox Wiktor, thats not usable for the masses
  706. lovetox they dont store secret keys on hardware tokens
  707. lovetox they get a new phone
  708. lovetox log in, and want to chat
  709. moparisthebest I meant something a little less strict, ie "trust any key I've trusted for x@x.com, and any new keys for x@x.com that one of my trusted keys have signed"
  710. Wiktor is verified omemo for masses? but it exists
  711. lovetox thats what the signal protocol solved, thats why whatsapp is using this protocol for 1 billion people
  712. frainz has joined
  713. lovetox so what you describe is not an issue with omemo, its a design decision to make it usable for the masses
  714. lovetox if thats not secure enough just use pgp
  715. lovetox and if the pgp UI in clients is not what you think it could be, work on that
  716. lovetox instead of making omemo into something it was never designed to be
  717. Guus has left
  718. edhelas has left
  719. lnj has joined
  720. Wiktor this is not an issue with "pgp UI" nor pgp as used for encryption, but if you say omemo should stay as close to signal as possible... okay
  721. Wiktor moparisthebest, yep, that sounds lightweight, there is an issue with revoking devices and tracking which device signed which one
  722. moparisthebest uh, revoking is just "now my trusted key for x@x.com said not to trust this other key for x@x.com" ?
  723. steven has left
  724. moparisthebest just have to be careful that the signed message going away alone doesn't revoke trust, since the server operator could pull that off
  725. moparisthebest but it could also block the revoke message, I don't think there is anything you can do about that
  726. 404.city has left
  727. moparisthebest it's at best a "my phone was stolen please don't encrypt messages to it anymore" switch
  728. Wiktor Yep, maybe the signatures and revocation can be embedded in XMPP QR codes as for OMEMO, that is transported out of band
  729. Wiktor Yes, stolen or unused anymore
  730. moparisthebest yea that'd be pretty great
  731. Wiktor There is alternative to revocations - re-signing expiring signatures every N weeks or so
  732. Wiktor JWTs work like that... a little :)
  733. moparisthebest then an evil server op can revoke keys though
  734. moparisthebest trying to decide if that's a problem, I mean they can also just block messages
  735. Wiktor yeah
  736. Wiktor but putting these signatures in random messages would hide them :)
  737. Wiktor has left
  738. !xsf_Martin has left
  739. frainz has joined
  740. frainz has left
  741. frainz has joined
  742. ThibG has left
  743. ThibG has joined
  744. winfried has joined
  745. lorddavidiii has left
  746. lorddavidiii has joined
  747. edhelas has left
  748. Wiktor has left
  749. ralphm has left
  750. edhelas has left
  751. winfried has joined
  752. winfried has joined
  753. Wiktor has left
  754. Wiktor has joined
  755. edhelas has left
  756. edhelas has left
  757. edhelas has left
  758. edhelas has joined
  759. lorddavidiii has left
  760. edhelas has left
  761. edhelas has joined
  762. alacer has left
  763. winfried has joined
  764. winfried has joined
  765. edhelas has left
  766. mimi89999 has joined
  767. j.r has joined
  768. jjrh has left
  769. oli has left
  770. oli has joined
  771. frainz has left
  772. marc_ has left
  773. marc_ has joined
  774. jjrh has left
  775. jjrh has left
  776. jjrh has left
  777. Ann has left
  778. frainz has joined
  779. j.r has joined
  780. j.r has joined
  781. frainz has left
  782. marc_ has left
  783. ta has left
  784. ta has left
  785. jjrh has left
  786. vanitasvitae has left
  787. oli has joined
  788. frainz has joined
  789. j.r has joined
  790. frainz has left
  791. frainz has joined
  792. lumi has left
  793. andrey.g has left
  794. thorsten has left
  795. thorsten has joined
  796. Lance has joined
  797. mimi89999 has joined
  798. Half-Shot has joined
  799. Half-Shot has left
  800. Half-Shot has joined
  801. Lance has left
  802. Half-Shot has left
  803. Half-Shot has joined
  804. tux has joined
  805. MattJ has joined
  806. Half-Shot has left
  807. Half-Shot has joined
  808. Half-Shot has left
  809. Nekit has joined
  810. efrit has joined
  811. sezuan has left
  812. andrey.g has joined
  813. Half-Shot has joined
  814. jjrh has left
  815. lnj has left