XSF Discussion - 2019-01-03

  1. lnj has left

  2. moparisthebest has joined

  3. frainz has left

  4. frainz has joined

  5. vanitasvitae has joined

  6. lovetox has left

  7. redditor has left

  8. oli has joined

  9. l has left

  10. vanitasvitae has left

  11. vanitasvitae has left

  12. ThibG has left

  13. Half-Shot has joined

  14. benpa has joined

  15. _purple_bot has joined

  16. uhoreg has joined

  17. Matthew has joined

  18. vanitasvitae has joined

  19. benpa has joined

  20. uhoreg has joined

  21. _purple_bot has joined

  22. Matthew has joined

  23. j.r has joined

  24. j.r has left

  25. pep.

    s2s:show('hardteckno.com') | OK: Total: 60 outgoing, 48 incoming connections

  26. pep.

    bug? feature?

  27. pep.

    it's the exact same numbers as if I did without the domain, just that the connections don't get listed

  28. pep.


  29. pep.

    wrong room

  30. vanitasvitae has left

  31. vanitasvitae has joined

  32. Half-Shot has joined

  33. oli has joined

  34. steven has left

  35. Lance has left

  36. lskdjf has joined

  37. l has joined

  38. Lance has joined

  39. vanitasvitae has left

  40. vanitasvitae has joined

  41. vanitasvitae has left

  42. vanitasvitae has joined

  43. Lance has left

  44. Lance has joined

  45. Ann has left

  46. Ann has joined

  47. Nekit has joined

  48. oli has joined

  49. Lance has left

  50. moparisthebest has joined

  51. daniel has left

  52. daniel has joined

  53. Lance has joined

  54. Lance has left

  55. UsL has joined

  56. sezuan has left

  57. lumi has left

  58. chunk has joined

  59. chunk has joined

  60. ThibG has joined

  61. jjrh has left

  62. Kev has left

  63. Kev has left

  64. Chunk has joined

  65. steven has left

  66. labdsf has left

  67. labdsf has joined

  68. alacer has joined

  69. igoose has left

  70. igoose has joined

  71. Kev has joined

  72. alacer has left

  73. waqas has joined

  74. moparisthebest has left

  75. moparisthebest has joined

  76. Yagiza has joined

  77. ta has left

  78. alacer has joined

  79. steven has joined

  80. alacer has left

  81. labdsf has left

  82. labdsf has joined

  83. alacer has joined

  84. lovetox has joined

  85. krauq has joined

  86. krauq has joined

  87. Chunk has joined

  88. labdsf has left

  89. labdsf has joined

  90. labdsf has left

  91. labdsf has joined

  92. moparisthebest has left

  93. Kev has left

  94. Kev has joined

  95. moparisthebest has joined

  96. waqas has left

  97. waqas has joined

  98. lorddavidiii has joined

  99. waqas has left

  100. labdsf has left

  101. labdsf has joined

  102. Ann has left

  103. Ann has joined

  104. ta has left

  105. Ann has left

  106. alacer has left

  107. rion has joined

  108. ThibG has left

  109. Ann has joined

  110. rion has left

  111. waqas has joined

  112. Nekit has joined

  113. moparisthebest has joined

  114. moparisthebest has joined

  115. krauq has joined

  116. goffi has joined

  117. labdsf has left

  118. Steve Kille has left

  119. oli has joined

  120. Steve Kille has joined

  121. pep. has left

  122. mrdoctorwho has left

  123. mrdoctorwho has joined

  124. labdsf has joined

  125. winfried has joined

  126. winfried has joined

  127. Andrew Nenakhov has left

  128. krauq has joined

  129. genofire has left

  130. ThibG has joined

  131. mrdoctorwho has left

  132. Guus has left

  133. Guus has left

  134. l has joined

  135. moparisthebest has joined

  136. steven has left

  137. Andrew Nenakhov has joined

  138. waqas has left

  139. l has left

  140. krauq has joined

  141. Guus has left

  142. l has joined

  143. vanitasvitae has left

  144. genofire has left

  145. genofire has joined

  146. pep. has joined

  147. lskdjf has joined

  148. Ann has left

  149. krauq has joined

  150. Maranda has joined

  151. waqas has joined

  152. Half-Shot_ has joined

  153. Half-Shot_ has left

  154. Ann has joined

  155. lorddavidiii has left

  156. Yagiza has left

  157. ralphm has left

  158. neshtaxmpp has joined

  159. freddo has left

  160. Ge0rG

    Why is "Simple IoT Client" listed in the XMPP Clients list, again?

  161. Ge0rG

    It also looks like its link is broken.

  162. jonas’

    broken link -> expire it immediately

  163. lnj has joined

  164. Ge0rG

    What can I do to expire Pidgin?

  165. Ge0rG

    > waher.se took too long to respond. Might be a temporary failure.

  166. Ge0rG

    > broken link -> expire it immediately how long do I need to DDoS pidgin.im to get it removed?

  167. jonas’


  168. waqas

    Ge0rG: Try it and let us know how long it takes.

  169. oli has joined

  170. Ge0rG

    is `<span style=" font-weight:600;">` correct XHTML-IM for bold?

  171. Zash

    If you allow style

  172. Ge0rG

    how is a client supposed to know that 600 = bold?

  173. jonas’

    that’s how bold is defined

  174. jonas’

    bold is just an alias for 600 or something

  175. waqas

    Ge0rG: you need a `</span>` for it to be valid

  176. jonas’

    bold Bold font weight. Same as 700.

  177. jonas’


  178. Ge0rG

    So 600 is not-quite-bold?

  179. jonas’

    600 Semi Bold (Demi Bold)

  180. Ge0rG

    poezio will display as bold if you have font-weight:anything in the CSS

  181. waqas

    font-weight: normal == 400

  182. jonas’


  183. waqas

    Check out values here: https://developer.mozilla.org/en-US/docs/Web/CSS/font-weight#Values

  184. Andrew Nenakhov has joined

  185. jonas’

    https://developer.mozilla.org/en-US/docs/Web/CSS/font-weight#Common_weight_name_mapping rather this table, no?

  186. waqas


  187. waqas

    That's a nice piece of documentation

  188. Ge0rG

    Now I remember again why I hate HTML

  189. waqas

    Ge0rG: Why exactly? :)

  190. jonas’

    first, this is CSS

  191. jonas’

    second, what’s wrong with its

  192. jonas’

    second, what’s wrong with it?

  193. Ge0rG

    jonas’: CSS is a part of HTML.

  194. jonas’

    CSS is commonly used with HTML, but you can use HTML without CSS just fine, and you can use CSS with things which are not HTML (e.g. GTK or SVR)

  195. Ge0rG

    You know what they said about PHP? A fractal of bad design.

  196. jonas’

    CSS is commonly used with HTML, but you can use HTML without CSS just fine, and you can use CSS with things which are not HTML (e.g. GTK or SVG)

  197. jonas’

    I don’t see that here though

  198. waqas

    Ge0rG: You need to make peace with the fact that everything sucks, and that is unlikely to ever change :)

  199. Andrew Nenakhov has left

  200. Andrew Nenakhov has joined

  201. Ge0rG

    waqas: I can't make peace with it, I can merely try to rant less.

  202. Andrew Nenakhov has joined

  203. Andrew Nenakhov has left

  204. Andrew Nenakhov has joined

  205. Andrew Nenakhov has left

  206. Andrew Nenakhov has joined

  207. waqas has left

  208. oli has joined

  209. Andrew Nenakhov has left

  210. Andrew Nenakhov has joined

  211. lorddavidiii has joined

  212. l has joined

  213. l has joined

  214. mrDoctorWho has joined

  215. vanitasvitae has left

  216. igoose has left

  217. Maranda has joined

  218. alacer has joined

  219. steven has joined

  220. alacer has left

  221. Zash has left

  222. Zash has left

  223. !xsf_Martin has joined

  224. frainz has left

  225. j.r has joined

  226. frainz has joined

  227. Andrew Nenakhov has joined

  228. Zash has left

  229. Andrew Nenakhov has joined

  230. Zash has left

  231. oli has joined

  232. krauq has joined

  233. 404.city has joined

  234. krauq has joined

  235. 404.city has left

  236. oli has joined

  237. benpa has joined

  238. uhoreg has joined

  239. _purple_bot has joined

  240. Matthew has joined

  241. labdsf has left

  242. labdsf has joined

  243. igoose has joined

  244. valo has joined

  245. j.r has joined

  246. oli has joined

  247. vanitasvitae has left

  248. oli has joined

  249. Andrew Nenakhov has left

  250. Andrew Nenakhov has joined

  251. Half-Shot has joined

  252. Half-Shot has left

  253. vanitasvitae has left

  254. jonas’

    who’s responsible for the registries? (<https://github.com/xsf/registrar>)

  255. lumi has joined

  256. vanitasvitae has left

  257. vanitasvitae has left

  258. vinx55 has joined

  259. j.r has joined

  260. krauq has joined

  261. daniel has joined

  262. vinx55 has left

  263. nyco has left

  264. Yagiza has joined

  265. APach has left

  266. APach has left

  267. alacer has joined

  268. krauq has joined

  269. igoose has left

  270. igoose has joined

  271. nyco has joined

  272. vanitasvitae has left

  273. nyco has left

  274. lskdjf has joined

  275. labdsf has left

  276. Yagiza has left

  277. Yagiza has joined

  278. l has left

  279. Wiktor has left

  280. j.r has joined

  281. Guus

    jonas’ Until there is a perceived need for a more formal governing body, the functions of the XMPP Registrar shall be managed by the XMPP Extensions Editor [6]

  282. Guus


  283. Marc Laporte has joined

  284. thorsten has left

  285. thorsten has joined

  286. Marc Laporte has left

  287. labdsf has joined

  288. ralphm set the topic to

    XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

  289. ralphm bangs gavel

  290. ralphm

    0. Welcome + Agenda

  291. ralphm


  292. ralphm

    nyco sent regrets

  293. jonas’

    Guus, thx :)

  294. Seve


  295. Guus


  296. ralphm


  297. ralphm

    Anything to add to the agenda?

  298. Seve

    Not me

  299. Guus

    I just added things to Trello

  300. Guus

    trademark, email server status

  301. Seve can't get to a computer but is on his phone

  302. ralphm


  303. ralphm

    Me too

  304. ralphm

    1. Commitments

  305. waqas has joined

  306. waqas has left

  307. Guus eyes dwd

  308. ralphm

    Vacation is almost over here, making more time for all things XMPP this month.

  309. APach has joined

  310. ralphm

    Including finally getting the items with Peter sorted.

  311. waqas has joined

  312. ralphm

    2. FOSDEM / Summit

  313. ralphm

    Guus, any news on hotel?

  314. Guus

    I've send a request for a quote, but have not received one yet.

  315. Guus

    I expect that to happen today or tomorrow

  316. Guus

    after which I'll forward it to the mailing lists, much like we did last year.

  317. ralphm

    Otherwise, let's sync tomorrow on all the things

  318. Guus

    (I'm getting a quote from Thon EU again)

  319. Guus

    I've also tried to reach out to the same restaurant for the XSF Dinner

  320. Guus

    couldn't get someone on the phone, but left a message

  321. Guus

    that's it for now.

  322. ralphm


  323. ralphm


  324. ralphm

    3. GSoC

  325. Seve

    Thank you Guus

  326. !xsf_Martin has joined

  327. Guus

    Joachim expressed some interest in participating, but communication seems to have broken down over the holidays.

  328. Guus

    (GSoC, that is)

  329. Guus

    I'll follow up with him

  330. Guus

    no others have stepped forward.

  331. Guus

    Let's aim to have a go/no go in next weeks meeting?

  332. ralphm

    Ok, maybe good to repeat the request now holidays are over

  333. Guus

    I don't like battering people. I'll publicly follow up Joachim. If someone else is interested, they can chime in.

  334. ralphm


  335. MattJ


  336. Seve


  337. MattJ

    Sorry, here now

  338. ralphm

    5. JabberSpam trademark

  339. Guus

    hi MattJ

  340. ralphm


  341. mightyBroccoli has left

  342. ralphm

    Good comments, Guus

  343. Guus

    Ge0rG has send in an application, that has had little response. He requests action.

  344. ralphm

    I'd still like to get guidance from Peter

  345. Ge0rG

    Peter acknowledged my request some two weeks ago.

  346. ralphm

    Yes, I got a copy

  347. Guus

    interestingly, the website speaks of a Trademark WT

  348. Guus

    who's that?

  349. Ge0rG

    IIRC, last time I asked for a trademark license, it ended up being voted by Board (after Peter's principal approval)

  350. ralphm

    Currently, just Peter, I think.

  351. Guus

    (It does not explicilty name it a work team, but it suggests that there's a group of people, plus the executive directory, that are said team).

  352. ralphm


  353. Guus

    sorry 🙂

  354. mightyBroccoli has joined

  355. MattJ

    The agreement does mention a "trademark committee" iirc

  356. Guus

    that might be it, yes.

  357. ralphm

    Adding it to the list of topics.

  358. ralphm

    Ge0rG: trying to get that resolved soon

  359. Guus

    I just created a small PR to the website, that should get Peters attention too

  360. Guus

    (regarding pending trademark applications)

  361. !xsf_Martin has left

  362. Guus

    Hopefully, we can gain some traction that way too.

  363. ralphm

    6. E-mail issue for seve

  364. Guus

    I'm not sure if this is just for Seve

  365. Ge0rG

    Further discussion has shown that I might need _two_ trademark permissions actually, one for the Org (requested), and another one for the "Jabber Spam Fighting Manifesto"

  366. !xsf_Martin has joined

  367. ralphm

    I saw some discussion and request to remove from RBL

  368. Guus

    I don't know what RBL is - or if we indeed do have an issue

  369. ralphm

    Seve: did you get nyco's email?

  370. Guus

    but for several weeks, people seem to have email related issues

  371. Guus

    Seve is one, but mail from the wiki (on account creation) do not show up either

  372. Guus

    unsure if it is related

  373. ralphm

    If this keeps up we may have to start sending through a service like MailGun, I'll ask the iteam what their strategy is.

  374. Seve

    ralphm: still no new emails from XSF lists, I was thinking on waiting for a new email to check if I get them now

  375. Guus

    I'm hoping that iteam can give some kind of status update.

  376. ralphm

    Seve: ok, that was sent just before this meeting

  377. Guus

    if only to confirm or reject the notion that we have issues.

  378. ralphm

    Kev, intosi?

  379. Seve

    ralphm: then no, I still do not get them

  380. MattJ

    I think someone will have to check the mail server log again then

  381. ralphm


  382. ralphm

    Ok, taking that up with iteam.

  383. Seve

    Thank you for this, I really appreciate that

  384. ralphm

    7. AOB?

  385. Ge0rG

    I have one AOB

  386. Guus

    no AOB from me.

  387. MattJ

    None here

  388. Ge0rG

    Tomorrow is our 20th birthday. Somebody should give a party. https://slashdot.org/story/99/01/04/1621211/open-real-time-messaging-system

  389. ralphm


  390. ralphm

    Of course the party will be distributed, with Disco and lots of Jingle.

  391. Seve


  392. Ge0rG

    ralphm: are you going to MIX the drinks?

  393. Guus


  394. Guus


  395. ralphm

    Ge0rG: sure. I'm more Pub than Sub.

  396. Ge0rG

    that sounds rather zimpy.

  397. Guus

    any practical idea's on commemorating the milestone?

  398. Guus

    apart from bad puns, obviously.

  399. Ge0rG

    Guus: somebody should write a blog post. I suggest "the half-life of instant messengers"

  400. ralphm

    I had great ideas and no time, so that didn't work out.

  401. Link Mauve

    I think we wanted to organise one with Nÿco this year.

  402. Ge0rG

    I'd volunteer, except -EBUSY

  403. waqas has left

  404. Guus

    that goes for everyone, I'm afraid.

  405. ralphm

    But we might be able to do something around the Summit

  406. Ge0rG

    maybe we can crowdsource it? Collect the lifespans of IMs in a pad

  407. mrDoctorWho

    Where does gajim keep the passwords on Windows?

  408. Ge0rG

    I can manage an hour or two tomorrow to write it down

  409. mrDoctorWho


  410. mrDoctorWho

    Sorry, wrong chat

  411. Zash

    lol https://slashdot.org/comments.pl?sid=15607&cid=2048739

  412. ralphm


  413. ralphm

    Ok, with that.

  414. ralphm

    8. Date of Next

  415. ralphm


  416. MattJ


  417. ralphm

    9. Close Thanks all!

  418. Seve


  419. Guus

    until we meet again!

  420. ralphm bangs gavel

  421. Seve

    Thank you!

  422. ralphm set the topic to

    XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

  423. Ge0rG

    Zash: XMPP, a story of NIH

  424. Zash

    Ge0rG: All of humanity probably

  425. Ge0rG

    So does anyone volunteer to collect data about IM networks/apps and their lifetimes?

  426. Zash


  427. Ge0rG

    Zash: that's very coarse

  428. Ge0rG

    but maybe a full history of all abandoned networks will be less funny of a read than I imagine

  429. labdsf has left

  430. Ge0rG

    Oh, https://waher.se/IoTGateway/SimpleIoTClient.md is back up

  431. vanitasvitae has left

  432. jjrh has left

  433. steven has left

  434. moparisthebest

    ha I didn't know that "The term "Instant Messenger" is a service mark of Time Warner[11] and may not be used in software not affiliated with AOL in the United States."

  435. labdsf has joined

  436. neshtaxmpp has joined

  437. daniel has joined

  438. steven

    wtf is that true??

  439. MattJ

    Things like that are why we ended up with the term "roster", when at the time everyone was talking about your "buddy list(TM)" (e.g. https://www.bizjournals.com/sanjose/stories/1999/05/31/story7.html )

  440. lovetox has joined

  441. krauq has joined

  442. Ge0rG

    Also why we ended up with XMPP.

  443. UsL has left

  444. Zash

    Trademarks are why we can't have nice things

  445. UsL has joined

  446. UsL has left

  447. UsL has joined

  448. UsL has left

  449. jjrh has left

  450. Ge0rG

    trademarks don't expire, right?

  451. MattJ

    They do

  452. Zash

    No they don't

  453. MattJ

    i.e. if you register a trademark you have to renew it after ~10y

  454. jjrh has left

  455. Zash


  456. Zash

    Which they'll do, forever

  457. Ge0rG


  458. Zash

    > This search session has expired. Please start a search session again by clicking on the TRADEMARK icon, if you wish to continue.

  459. Ge0rG

    It's just the "BUDDY LIST" result, it's still registered to AOL

  460. 404.city has joined

  461. Zash

    You also have to actively protect it as well, right? Ie go after people using it without permission and stuff.

  462. Zash

    Hm, but then I'm not sure which is whic hof ™ and ®

  463. Ge0rG


  464. Ann has left

  465. edhelas has left

  466. lovetox has joined

  467. edhelas has joined

  468. daniel has joined

  469. 404.city has left

  470. Ann has joined

  471. sezuan has left

  472. thorsten has left

  473. waqas has joined

  474. moparisthebest has left

  475. vaulor has left

  476. ta has left

  477. labdsf has left

  478. lskdjf has left

  479. lskdjf has joined

  480. Wiktor has left

  481. pep.

    https://slashdot.org/comments.pl?sid=15607&cid=2048734 "clients are quite easy to write", fast forward 20 years later

  482. alacer has left

  483. Wiktor has left

  484. thorsten has joined

  485. l has joined

  486. lskdjf has left

  487. Zash has left

  488. j.r has joined

  489. jjrh has left

  490. jjrh has left

  491. daniel has joined

  492. jjrh has left

  493. lskdjf has joined

  494. Zash has left

  495. jjrh has left

  496. vanitasvitae has left

  497. jjrh has left

  498. lovetox has joined

  499. Andrew Nenakhov

    Clients are indeed easy to write. It's just good clients that aren't.

  500. jonas’


  501. tux has joined

  502. alacer has joined

  503. jjrh has left

  504. lovetox

    also 20 years ago there was no MAM and Carbons no phones etc

  505. efrit has joined

  506. lovetox

    no encryption, so it was basically, download the roster, and send a message

  507. Steve Kille has left

  508. Steve Kille has left

  509. genofire has left

  510. genofire has left

  511. Steve Kille has joined

  512. goffi

    Hi, happy new year everybody. In XEP-0060, if I have an item with id "abc", I publish an other item with it "def", then I publish a new item with the first id ("abc") which will overwrite it. if I then request items with max=1, should I get "abc" or "def" ? § 7.1.2 says that item is overwritten and § 6.5.7 says that items returned are the "most recent". So I guess it should be "abc", right ?

  513. genofire has joined

  514. goffi

    ralphm: ^

  515. pep.

    I think that question was also raised by edhelas a few months ago(?) I don't know if there's a clear answer

  516. Zash

    If you think about it as publishing a new item that just happens to also delete an older item, then it makes sense that the 'abc' one is the last item you get

  517. Guus

    I'd argue, without looking at the xep, that something that's overwritten is not 'new'

  518. goffi

    I got the same 2 thoughts, so it's confusing because 2 options could make sense.

  519. jjrh has left

  520. goffi

    the XEPs states that the mosts recents items must be returned, so even if you overwritte, the "abc" one is the more recent.

  521. goffi


  522. Guus

    The identity is not new

  523. goffi

    yes, but the item is

  524. Guus

    Is it new, or is the old one changed?

  525. Zash

    I prefer the way where I don't have to throw out all the append-only assumptions from everywhere

  526. waqas has left

  527. alacer has left

  528. alacer has joined

  529. erkanfiles has joined

  530. steven

    So I've coined this idea a few times the last few weeks in random MUCs, but I'm not sure how to approach taking it further than an idea: I (and I'm sure others) have been thinking quite a bit about OMEMO key fetching and how easy it is for server admins to just serve extra keys for contacts etc. I don't think there is a single client that does not automatically accept all keys by default. (Conversations has an "expert setting" that lets you turn of accepting new keys. I think Gajim has something similar.) I've been thinking about PGP to help improve this. My personal main objection to using PGP for encrypted messaging is that I prefer to not have my private key on my device at all times (in unencrypted form) like you need for XEP-0374. Instead, one could sign OMEMO keys with a PGP key to just have to do this once for each new device. In theory, this would not need to have your PGP key on a mobile device, for example. Since you could verify the OMEMO key fingerprint on on your desktop and then sign it there. On the mobile device you only need to import your own public key and signed public keys of your contacts.

  531. pep.

    Hah, Syndace ^

  532. steven

    Not sure I'm missing something that makes this hard to use. Also I don't know if PGP is still used at all.

  533. oli

    why not encrypt the messages with pgp?

  534. pep.

    We've been discussing with Syndace a bit and trying to find solutions about your concerns on the server being able to inject devices etc.

  535. steven

    oli, because this needs the pgp private key to be available at all times

  536. steven

    OMEMO keys are single-use-case and can easily be replaced when confiscated

  537. pep.

    The idea with PGP is that the key would be stored on the server and the client can unlock it, but that has other pitfalls

  538. steven

    A PGP key is kinda like your ultimate beacon of trust 😀 We use it a lot at work f.e. for automatic deployments etc

  539. steven

    So I never have my laptop or phone have it unencrypted and need to enter a lenghty passphrase for every use.

  540. pep.

    (Well technically it could be done any way, but that's what I hear the most, that makes the most sense UX-wise)

  541. steven

    I don't think it's nice to type a passphrase for every message 😀

  542. pep.

    Not for every message

  543. Wiktor

    steven: good idea, but this would require OpenKeychain on Andoird to verify the signature and/or sign the statement

  544. steven

    pep., I don't know how XEP-0374 works, tbh. Does it just use one master key all the time? Or does it use ephemeral subkeys or so?

  545. waqas has joined

  546. steven

    Wiktor, to verify yes. But to sign your own mobile key, you could do manual fingerprint verification with a desktop client like Gajim and sign your mobile's OMEMO key there and send the signature to the server. (Just thinking out loud here, though.)

  547. pep.

    You choose? I don't know it that much either, I'm definitely not the reference here. I also know other people have concerns about 374, but I'm waiting on them to tell because I don't have the knowledge to back these claims

  548. Wiktor

    Yeah, actually Conversations already has similar code but using X.509 instead of OpenPGP

  549. pep.

    steven: so you want cross-signing basically right

  550. pep.

    I think the way you're trying to implement it is going a bit far

  551. mrDoctorWho has joined

  552. steven

    pep., yeah well it's also possible of course to sign on the mobile client

  553. steven

    still you'd have to enter the passphrase only once

  554. steven

    instead of very often/every message?

  555. UsL has joined

  556. mrDoctorWho has joined

  557. j.r has joined

  558. Syndace

    I saw you proposing that before but I didn't see a way to do that in a way which is not overkill.

  559. Syndace

    But now that I think about it again you could probably do it without too much complexity

  560. Syndace

    You might not even need GPG itself, rather a master key of any soet

  561. Syndace

    But I'm busy right now, I'll take some time to think about it later/tomorrow

  562. steven

    Syndace, well, "a master key of any sort" isn't much better. The thing is that quite some people already have some form of web of trust with PGP keys and verified identities. (The company I work for is fully remote so at our annual offsite we do a quick PGP key signing ritual. From then on we can f.e. introduce a new coworker by having him meet a single colleague that signs his key.)

  563. Syndace has joined

  564. efrit has left

  565. steven

    Basically PGP is identity-based while OMEMO is device-based. So to tie a device to an identity, it makes sense to use PGP I think.

  566. Ge0rG

    steven: PGP is a can of worms, especially but not exclusively regarding UX. Not even hardcore cryptowhores figure out all of its quirks

  567. Syndace has joined

  568. Ge0rG

    I like the matrix idea of a master olm(?) key.

  569. steven

    Ge0rG, true. But it's an accepted default.

  570. steven

    Ge0rG, many people say the same about XMPP 😀

  571. Ge0rG

    No need to mix different crypto libraries with each other.

  572. Ge0rG

    steven [19:58]: > Ge0rG, true. But it's an accepted default. Nope. S/MIME is the accepted default.

  573. Ge0rG

    The PGP web of trust is just silly. I've verified your identity, therefore I trust you to verify other people's identities?

  574. Ge0rG

    I think that PGP has a place in xmpp indeed, but without OMEMO then.

  575. Tobias has joined

  576. Ge0rG

    Just have an account key, exchange it with your friends, share it between all your devices, problem solved. You leak your key? All of your chat history is compromised.

  577. Ge0rG

    You lose your device? Lucky you if you still have the key / recovery password. Then you'll regain all your logs.

  578. Ge0rG

    OMEMO trust management is just madness. What do you do if you verified one of your friend's devices, but none of your own other device keys?

  579. Ge0rG

    It barely works as long as you have exactly one device and it doesn't get lost, stolen or broken.

  580. steven

    Ge0rG, I don't think you have much experience using OMEMO..

  581. steven

    I have the Conversations "paranoid mode" where I have to manually approve new device keys and it works fine.

  582. Andrew Nenakhov

    I don't like the whole idea of omemo/otr. The only improvement in it over gpg is PFS but too many drawbacks. And gpg is good enough to stop any realistic state wide spying efforts. So PFS is needed to those who REALLY has reasons not to be spied and MitMed and traffic decrypted, and we know all too well who these people are. :-/

  583. steven

    When I first start chatting with a new contact, I will just blindly hit "ok" (I'm not gonna call them to spell it out for me), but after that when I get sent new device keys, I just ask them first if they started using another client.

  584. steven

    So yeah in theory the admin could still hijack the key on the moment someone starts using a new client. That's why I'd prefer to just have my contacts' PGP keys and have them sign their OMEMO keys.

  585. Andrew Nenakhov

    So, which keys could admin hijack?

  586. Ge0rG

    steven [20:05]: > I have the Conversations "paranoid mode" > When I first start chatting with a new contact, I will just blindly hit "ok" (I'm not gonna call them to spell it out for me) I rest my case.

  587. Andrew Nenakhov

    If he hijacks your public keys, then what?

  588. steven

    Andrew Nenakhov, the admin could install a module that whenever a user adds a new device, it broadcasts a different key instead that it owns itself. Because I described that I would only ask "did you start using a new client?" without also verifying the fingerprint.

  589. steven

    Ideally I just send them the fingerprint using their first OMEMO key to verify.

  590. Ge0rG

    Andrew Nenakhov: the server Admin could add another device key to your account, or replace your key with his own.

  591. steven

    Andrew Nenakhov, he could but only if he's already doing that at the moment of the first encounter.

  592. Ge0rG

    steven: how do you ask your friends whether they got a new device? With the old key? Via SMS?

  593. steven

    Ge0rG, with the old key(s).

  594. steven

    Usually it's someone that opened the webchat for the first time or downloads a desktop client or so.

  595. Ge0rG

    steven: so if they lost their phone, you are out of luck.

  596. steven

    So yeah I should ask them to verify the fingerprint. But I don't have such highly sensitive conversations yet. Just thinking that in case I have, I'd prefer PGP instead of manually messing with fingerprints.

  597. edhelas has left

  598. steven

    Ge0rG, if they lost their phone and have never used a desktop/web client, yes.

  599. moparisthebest

    how do you verify their PGP key though?

  600. Ge0rG

    steven [20:11]: > in case I have, I'd prefer PGP instead of manually messing with fingerprints. Now with *that* I can totally agree.

  601. steven

    (Also note that I'm the server admin of the server my social network is on, so I should have been targeted by a hacker for shady things to happen.)

  602. steven

    moparisthebest, well, you only have to do that once. And you could delegate that to people you trust to do it thoroughly.

  603. steven

    Also for higher-profile people, their PGP keys might be publicly known and signed by a bunch of people.

  604. Andrew Nenakhov

    steven, that what fingerprints check is for, so you should verify your contact fingerprints via an independent means of communication.

  605. Wiktor

    You already specify your own PGP key in C, one can check if your contacts PGP key is signed by you

  606. steven

    Andrew Nenakhov, or with a signature of an authority you trust.

  607. andrey.g has left

  608. Andrew Nenakhov

    Cool. So this authority could be compromised and all your struggle and pain with encryption will be for nothing.

  609. Ge0rG

    There is no trusted authority on PGP. This is what S/MIME is for...

  610. steven

    Like say some guy from The Guardian contacts you. He uses an OMEMO key. Most likely, his PGP key will be known, online on several websites and signed by people from other newspapers etc. If he signs the OMEMO key with that PGP key that I can find in multiple places with multiple signatures from other keys I can find in even more independent places, I would personally rest assured.

  611. Andrew Nenakhov

    It never ceases to amaze me how people want security and privacy but not the inconveniences that mandatory come with them.

  612. steven

    Andrew Nenakhov, there's several levels of privacy of course. Of course I'd like the conversations with my friends to be private from petty hackers and bad admins getting government orders. But I know that these conversations are not safe from high-profile cyberspecialists. That's fine. If I'm about to become a whistleblower and talking with a newspaper, I'll up my security and me tolerace to the nuisances that come with it.

  613. andrey.g has joined

  614. pep.

    > Ge0rG> There is no trusted authority on PGP. This is what S/MIME is for... Trusting that authority is another story. DANE anybody? Does S/MIME even work with that

  615. Ge0rG

    steven: you've heard of https://evil32.com/ already?

  616. Ge0rG

    pep.: there was a proposal

  617. Ge0rG

    I'd love to have an implementation of that.

  618. Ge0rG

    pep.: but not just the fingerprint, store the whole certificate in DNS

  619. edhelas has left

  620. steven

    > steven: you've heard of https://evil32.com/ already? Ge0rG, hmm, I don't use the shortIDs personally. Not sure how, but my `gpg --list-keys` prints full IDs.

  621. Ge0rG

    steven: the point is that the key of your journalist is fake, together with all the keys that signed it

  622. Wiktor

    steven: defaults of gpg change over time, no automated system should use short fingerprints (OpenKeychain follows this)

  623. edhelas has left

  624. Wiktor

    Ge0rG: not necessarily, first of all legacy sigs used long key ids not short 32 bit but for years the full fingerprint is embedded in the signature

  625. Ge0rG

    Why isn't anyone complaining that HTTP upload to a MUC exposes your domain to all muc participants?

  626. Link Mauve

    Ge0rG, because Conversations displays a picture instead of an URL.

  627. Ge0rG

    Wiktor: Chance fifty fifty

  628. moparisthebest

    your avatar exposes things too

  629. Link Mauve

    So people are not aware of that.

  630. moparisthebest

    probably a bunch of other things

  631. Link Mauve

    moparisthebest, uh, no, it doesn’t.

  632. moparisthebest

    in a different way, it lets me tell 'dwd' in one channel is the same as 'Dave' in another channel etc etc

  633. moparisthebest

    if I happen to have the same person in my roster, that too

  634. Ge0rG

    Everybody should use the same avatar!

  635. Wiktor

    Ge0rG: this is 4 years old: https://gnupg-devel.gnupg.narkive.com/Z0EFUBU7/issuer-fingerprint-was-vanity-keys

  636. Ge0rG

    Wiktor: I'm speaking about obtaining a key out of band

  637. edhelas has left

  638. Wiktor

    > Wiktor: Chance fifty fifty > Wiktor: I'm speaking about obtaining a key out of band ?

  639. Wiktor

    OpenKeychain uses qr codes, full fingerprint

  640. lorddavidiii has left

  641. Zash has left

  642. daniel has left

  643. daniel has joined

  644. lorddavidiii has joined

  645. winfried has joined

  646. ta has left

  647. ta has left

  648. ta has joined

  649. Ge0rG

    But you can't scan the fingerprint of some journalist

  650. j.r has joined

  651. 404.city has joined

  652. Wiktor

    This one uses full fingerprint https://theintercept.com/staff/micah-lee/

  653. MattJ has left

  654. mrDoctorWho has left

  655. l has joined

  656. oli

    Ge0rG: i complain all the time (in my head)

  657. oli

    regarding http upload

  658. lovetox

    steven, 1. Gajim doesnt blind trust, but every single user tells me i should implement it 2. you just exchange one verification for another, you dont want to verify the omemo fingerprint, and trust an pgp signature on it, but next you dont want to verify the pgp fingerprint, then you just trust some names on a list that maybe work in a newspaper

  659. lovetox

    thats not how it works, if you want to be really secure, you have to put in the work

  660. lovetox

    there is no magic solution how a computer can tell you that you can absolutly be sure that on the other end is Human X

  661. lovetox

    at somepoint, someone has to check this in the real world

  662. oli


  663. Wiktor

    lovetox, I think steven mentioned that their company's employees verify their PGP fingerprints in real world

  664. lovetox

    and then the next thing you have to realize is, that clients are not developed for 1% paranoid people

  665. lovetox

    Wiktor, yeah so they know how this works, then they can do it with omemo fingerprints

  666. lovetox

    all of your pgp signing theorys are way to complex to implement, its already hard to get omemo as is working in a usable way

  667. Wiktor

    yes, but for PGP once you sign a key the person can rotate subkeys freely and the trust is retained

  668. Wiktor

    with OMEMO there is no master key to hold device keys together

  669. Wiktor

    just clarifying what's the scope, I actually had an idea how to implement it outside clients using PGP but without modification from XMPP client developers using verified XMPP URIs (what basically is in the OMEMO QR code)

  670. lovetox

    And? do you see anyone using pgp in xmpp?

  671. Ge0rG

    Wiktor [21:16]: > with OMEMO there is no master key to hold device keys together And you have O(n*m) manual key management overhead

  672. Wiktor

    pgp has two components, identity verification and signing/encryption, pgp for xmpp as is today is used only for signing/encryption, not identity verification

  673. Ge0rG

    Where n is your devices, and m the other users.

  674. Wiktor

    you already do M when you verify your users OMEMO keys?

  675. Wiktor

    the problem is you need to repeat it for every new device key

  676. lovetox

    Thats the whole story of signal, no master key, its a feature that enables you easily add new devices

  677. lovetox

    that is what makes it usable for the masses

  678. lovetox

    now you want to "secure" that down to pgp levels

  679. lovetox

    just use pgp

  680. Wiktor

    there is no way to use pgp identity verification in xmpp currently

  681. Wiktor

    pgp fingerprints are transferred in band in all pgp xeps I've seen

  682. ta has joined

  683. lovetox

    xmpp is just a transport protocol, everything pgp offers you can use

  684. lovetox

    its like email in that sense, it transports the encrypted payload, you can verify around that with keyservers or whatever crazy construct you think up

  685. Yagiza has left

  686. Wiktor

    verification of pgp keys can be done with QR codes like with OMEMO and with OpenKeychain, nothing uses that so bascially pgp in xmpp as it is now relies on server telling the fingerprints to clients, there is no paranoid mode like in OMEMO

  687. Wiktor

    but I think what steven proposed (as far as I understood) would be to use pgp keys that already have trust between them (bidirectional signing) to sign OMEMO device keys

  688. lovetox

    and how do i get the public key to verify the sign?

  689. lovetox

    dont tell me from a server :D

  690. Wiktor

    you get the fingerprint by scanning QR code, this is identical to OMEMO

  691. Wiktor

    see: https://github.com/open-keychain/open-keychain/wiki/QR-Codes

  692. lovetox

    ok, so you dont want to scan the omemo qr code, because thats somehow to much work, thats why we sign the omemo key, then scan the pgp key that this was sign with

  693. Wiktor

    I don't want to scan omemo keys every time contact changes devices, pgp key is stable as it is the root of trust

  694. lovetox

    to me this sounds like you just moved your problem and added complexity

  695. lovetox

    and how does a user add a new device, where does he store his secret master pgp key?

  696. moparisthebest

    you also don't really have to involve PGP to get the same thing right?

  697. lovetox

    on the phone he just lost?

  698. moparisthebest

    can't the device key you trust sign new device keys, and let you know about that?

  699. lovetox

    this is just exactly what people do since 20 years with pgp

  700. lnj has left

  701. frainz has left

  702. lovetox

    having a masterkey and singing sub keys

  703. Wiktor

    lovetox, usually PGP master keys are more protected than offline keys like OMEMO, e.g. my signing/encryption keys are on hardware tokens, master key is on an airgapped offline machine

  704. Wiktor

    lovetox, exactly

  705. lovetox

    Wiktor, thats not usable for the masses

  706. lovetox

    they dont store secret keys on hardware tokens

  707. lovetox

    they get a new phone

  708. lovetox

    log in, and want to chat

  709. moparisthebest

    I meant something a little less strict, ie "trust any key I've trusted for x@x.com, and any new keys for x@x.com that one of my trusted keys have signed"

  710. Wiktor

    is verified omemo for masses? but it exists

  711. lovetox

    thats what the signal protocol solved, thats why whatsapp is using this protocol for 1 billion people

  712. frainz has joined

  713. lovetox

    so what you describe is not an issue with omemo, its a design decision to make it usable for the masses

  714. lovetox

    if thats not secure enough just use pgp

  715. lovetox

    and if the pgp UI in clients is not what you think it could be, work on that

  716. lovetox

    instead of making omemo into something it was never designed to be

  717. Guus has left

  718. edhelas has left

  719. lnj has joined

  720. Wiktor

    this is not an issue with "pgp UI" nor pgp as used for encryption, but if you say omemo should stay as close to signal as possible... okay

  721. Wiktor

    moparisthebest, yep, that sounds lightweight, there is an issue with revoking devices and tracking which device signed which one

  722. moparisthebest

    uh, revoking is just "now my trusted key for x@x.com said not to trust this other key for x@x.com" ?

  723. steven has left

  724. moparisthebest

    just have to be careful that the signed message going away alone doesn't revoke trust, since the server operator could pull that off

  725. moparisthebest

    but it could also block the revoke message, I don't think there is anything you can do about that

  726. 404.city has left

  727. moparisthebest

    it's at best a "my phone was stolen please don't encrypt messages to it anymore" switch

  728. Wiktor

    Yep, maybe the signatures and revocation can be embedded in XMPP QR codes as for OMEMO, that is transported out of band

  729. Wiktor

    Yes, stolen or unused anymore

  730. moparisthebest

    yea that'd be pretty great

  731. Wiktor

    There is alternative to revocations - re-signing expiring signatures every N weeks or so

  732. Wiktor

    JWTs work like that... a little :)

  733. moparisthebest

    then an evil server op can revoke keys though

  734. moparisthebest

    trying to decide if that's a problem, I mean they can also just block messages

  735. Wiktor


  736. Wiktor

    but putting these signatures in random messages would hide them :)

  737. Wiktor has left

  738. !xsf_Martin has left

  739. frainz has joined

  740. frainz has left

  741. frainz has joined

  742. ThibG has left

  743. ThibG has joined

  744. winfried has joined

  745. lorddavidiii has left

  746. lorddavidiii has joined

  747. edhelas has left

  748. Wiktor has left

  749. ralphm has left

  750. edhelas has left

  751. winfried has joined

  752. winfried has joined

  753. Wiktor has left

  754. Wiktor has joined

  755. edhelas has left

  756. edhelas has left

  757. edhelas has left

  758. edhelas has joined

  759. lorddavidiii has left

  760. edhelas has left

  761. edhelas has joined

  762. alacer has left

  763. winfried has joined

  764. winfried has joined

  765. edhelas has left

  766. mimi89999 has joined

  767. j.r has joined

  768. jjrh has left

  769. oli has left

  770. oli has joined

  771. frainz has left

  772. marc_ has left

  773. marc_ has joined

  774. jjrh has left

  775. jjrh has left

  776. jjrh has left

  777. Ann has left

  778. frainz has joined

  779. j.r has joined

  780. j.r has joined

  781. frainz has left

  782. marc_ has left

  783. ta has left

  784. ta has left

  785. jjrh has left

  786. vanitasvitae has left

  787. oli has joined

  788. frainz has joined

  789. j.r has joined

  790. frainz has left

  791. frainz has joined

  792. lumi has left

  793. andrey.g has left

  794. thorsten has left

  795. thorsten has joined

  796. Lance has joined

  797. mimi89999 has joined

  798. Half-Shot has joined

  799. Half-Shot has left

  800. Half-Shot has joined

  801. Lance has left

  802. Half-Shot has left

  803. Half-Shot has joined

  804. tux has joined

  805. MattJ has joined

  806. Half-Shot has left

  807. Half-Shot has joined

  808. Half-Shot has left

  809. Nekit has joined

  810. efrit has joined

  811. sezuan has left

  812. andrey.g has joined

  813. Half-Shot has joined

  814. jjrh has left

  815. lnj has left