XSF Discussion - 2019-02-28


  1. vanitasvitae

    Nice, the XSF got selected for GSoC :)

  2. Guus

    Yes!

  3. Seve

    \o/!

  4. jonas’

    \o/

  5. rion

    seems like xep-0214 depends on deprecated xep-0137. Probably it has to be updated or deprecated too.

  6. rion

    we were just thinking on support@j.ru how to make file storage management for http upload.

  7. Wiktor

    vanitasvitae: is there a list of topics?

  8. Link Mauve

    rion, there is also XEP-0329, which depends on XEP-0234 instead.

  9. Link Mauve

    Those two are part of my list of deferred XEPs to look at and either revive or deprecate, but there was some opposition to deprecating a deferred XEP recently.

  10. Andrew Nenakhov

    Xep 214 is a bad idea that will end in pubsubfs, not that we're looking into

  11. rion

    Link Mauve: 329 looks good to me, thanks. and it can be combined with http jingle transport.

  12. Link Mauve

    Yup.

  13. Link Mauve

    I think goffi has another implementation of it.

  14. Link Mauve

    He demo’d it at the Summit.

  15. Link Mauve

    Andrew Nenakhov, being able to subscribe to a node mapping to a directory sounds useful though.

  16. Link Mauve

    The 0329 can’t be used for a dropbox-like, or even any notification.

  17. vanitasvitae

    Wiktor: in the xmpp wiki

  18. Wiktor

    vanitasvitae: kthx

  19. goffi

    indeed I have an implementation of XEP-0329, I'm pretty happy with it.

  20. goffi

    I've made a quick evaluation of various options, I've chosen this one because it's working and simple.

  21. goffi

    Link Mauve: while it can't be used for dropbox like?

  22. goffi

    s/while/why/

  23. Link Mauve

    goffi, how do you subscribe to files being added or removed or changed?

  24. goffi

    Link Mauve: is this needed for dropbrox like?

  25. goffi

    (note that I've never used dropbox)

  26. Link Mauve

    goffi, Dropbox is a software you install on your computer, which provides you a fuse(-like?) interface to mount a remote directory.

  27. Link Mauve

    Then when anyone puts files there, they will be downloaded on your computer.

  28. Link Mauve

    Or something like that.

  29. Link Mauve

    I haven’t used it either, but I’ve heard people talk about it.

  30. Zash

    It lets the cloud put files on your computer. Probably.

  31. jonas’

    I think the closest FLOSS thing is Sparkleshare

  32. jonas’

    or Seafile

  33. jonas’

    so if you want to check out the UX, go to those projects

  34. jonas’

    although sparkleshare in particular was pretty bad when I tested it the last time

  35. nyco

    hi

  36. Guus

    Hello

  37. Link Mauve

    jonas’, yes, it is.

  38. Link Mauve

    Also unmaintained.

  39. goffi

    Link Mauve: to looks for files on a server (my current use case), XEP-0329 is enough and working well. To subscribe to a directory or a file it would need to be extended, but I think it can be done quite cleanly with references.

  40. Link Mauve now shuts up and lets board do boardy things.

  41. Guus

    Seve ralphm MattJ shall we meet?

  42. Link Mauve

    goffi, XEP-0214 did that already.

  43. goffi

    yes, but it's overcomplicated in my opinion

  44. nyco

    to all, my apologies for last week, as I did not join, and did not tell...

  45. Guus

    I think you did?

  46. Guus

    or was that the week before? I was not here last week myself.

  47. Guus

    anyways. you are forgiven. 🙂

  48. Guus

    ... did these guys find another place to meet while we were gone?

  49. MattJ

    Hey

  50. Guus

    ola!

  51. Seve

    Hi! My bad

  52. MattJ

    Sorry, had a delivery arrive just as the meeting began :)

  53. MattJ

    Just missing ralphm?

  54. Guus

    That's generally when delivery guys show up at my door too. Mostly for neighbors, too.

  55. Guus

    yes

  56. nyco

    a softer way of swatting?

  57. Guus

    perhaps 🙂

  58. nyco

    https://trello.com/b/Dn6IQOu0/board-meetings

  59. Guus hands a gavel to nyco

  60. nyco tries to catch it on the fly

  61. nyco

    BANG

  62. nyco

    Minute taker, who are you today?

  63. nyco

    so we have Seve, Matt, Guus, and me, only Ralph is missing

  64. nyco

    we have 2 topics for decision: * E2E CA req * membership application commitment: * typo in deferred XEP discussion: * money, money, money * reach out high profile users * badge designer

  65. nyco

    let's start ?

  66. nyco

    1. E2E

  67. nyco

    file:///Users/nyco/code/converse.js/fullscreen.html

  68. nyco

    oops

  69. nyco

    https://trello.com/c/JIVSMPah/336-e2e-authentication-in-xmpp-ca-requirements

  70. nyco

    <you know my client now>

  71. Guus

    are you typing a lot in one message, or do I have delays?

  72. nyco

    maybe the weather

  73. Guus

    that's possible 🙂

  74. Guus

    wifi is acting up 🙂

  75. Guus

    I must admit I've not yet taken the time to study the E2E protoxep

  76. nyco

    so I have no clue of this item, too tech for me, I hand over to <who>?

  77. MattJ

    Yeah, I need more time to review it

  78. nyco

    so what's neede here?

  79. nyco

    so what's needed here?

  80. Guus

    It seems two-prone, at least.

  81. Ge0rG

    If this is the CA part of the recently rejected XOR proto-XEP, it's about the XSF running a CA

  82. nyco

    so what's needed from the Board here?

  83. nyco

    oh ok

  84. Guus

    I'm assuming that this is brought before board, because it defines XSF-organisational requirements?

  85. jonas’

    there is a separate ProtoXEP for that

  86. Link Mauve

    Ge0rG, it has been accepted, hasn’t it?

  87. jonas’

    https://xmpp.org/extensions/inbox/eax-car.html

  88. Guus

    In our trello boad, this is linked: https://xmpp.org/extensions/inbox/eax-car.html

  89. jonas’

    ha!

  90. nyco

    https://xmpp.org/extensions/inbox/eax.html https://xmpp.org/extensions/inbox/eax-car.html

  91. jonas’

    now we have it linked thrice

  92. MattJ

    The stated requirements for the XSF seem trivial enough as specified, but I'm not sure what the wider context is here

  93. nyco feels there is lag indeed

  94. jonas’

    the eax.html is Standards Track and has been handled by Board

  95. jonas’

    but it’s useful context

  96. jonas’

    more context is in xor.html

  97. MattJ

    What root CAs are we supposed to redirect to? Is there some vetting to be done? etc. - I need to read it more

  98. Seve

    Same here as the rest

  99. MattJ

    and why isn't relying on normal trust anchors enough? E.g. Mozilla's

  100. nyco

    are we able to do this?

  101. Guus

    Also - this introduces the XSF as a single source of truth

  102. MattJ

    So let's punt on this for the moment, understand it more and discuss next week

  103. Guus

    which somehwat clashes with doing things distributed/federated - unsure if that can be helped here (I must read more, as a wise man just said), but it's bound to raise brows.

  104. Ge0rG

    MattJ: normal CAs are forbidden to issue non-web certificates, essentially, by CA/Browser Forum rules

  105. Ge0rG

    (which is something the XSF Board might well be able to address, in a proper formal inquiry to the CABF)

  106. nyco

    if there is a CA, there are many ICA ?

  107. nyco

    which is more decentralised, still as a pyramid

  108. jonas’

    kind of like how DNSSEC works

  109. Guus

    Ge0rG is that an alternative approach than the one suggested in the XEP?

  110. nyco

    a blockain-based CA? wait no

  111. Ge0rG

    Guus: no, it's completely orthogonal. I haven't had the time to read _this_ incarnation of the XEP either

  112. Guus

    Ge0rG ok thanks

  113. Seve

    I think there are too many questions on this one :)

  114. Guus

    as MattJ suggested, lets kick this can down the road for a week.

  115. MattJ

    +1

  116. Guus

    (and do some reading)

  117. nyco

    2. XEP-0345 (Form of Membership Applications)

  118. nyco

    card without description, what's needed from the board?

  119. nyco

    https://xmpp.org/extensions/xep-0345.html

  120. MattJ

    Who added it?

  121. Guus

    approval.

  122. Ge0rG

    nyco: it's a procedural XEP that needs to be decided upon

  123. nyco

    ok

  124. Ge0rG

    So Board shoul decide whether it shall be accepted or not.

  125. nyco

    so I feel like emil, jid, affiliations and name are not enough can we add things like values, objectives, past contributions?

  126. Guus

    I only now see that there was feedback in the Last Call

  127. MattJ

    nyco, I think that's up to the candidate to add as much as they want to share to be accepted

  128. Seve

    I would have wanted that to be a discussion topic maybe? And then decide something about it.

  129. MattJ

    I don't think we need to make those things mandatory in a formal document

  130. nyco

    mandatory no, but as an option

  131. nyco

    rather a suggestion

  132. Guus

    MattJ didn't you raise an example of someone having 'valid' reasons for wanting to apply anonymously?

  133. Guus

    although we shot down applying anonymously before, your example might warrant to re-address that

  134. MattJ

    Possibly so

  135. Guus

    I think you were going to see if said person would be willing to provide details?

  136. Guus

    Do you recall who I'm talking of? You weren't specific.

  137. MattJ

    There is a slight difference between being an anonymous member and having your details being known only to the Secretary

  138. Guus

    If that's still ongoing, I'd like to have that information before voting on XEP-0345.

  139. MattJ

    Yes, I recall the conversation, I need to follow up

  140. Ge0rG

    I've recently brought up the anonymity question, and by now told the respective user that it's not an option.

  141. jonas’

    did you also tell them that contributing to standards etc. is very much possible without being a member?

  142. MattJ

    Ge0rG, iirc that was before the summit, where we had some in-person discussions about how we may improve the process

  143. Guus

    Ge0rG which is what we decided on.

  144. MattJ

    The decision still holds

  145. MattJ

    We /may/ be able to change the way we do things, and we /may/ decide to do that

  146. MattJ

    and that may or may not be enough for these people who want to remain anonymous

  147. Guus

    (what he said - my choice of words was poor)

  148. Ge0rG

    But you SHOULD document the current status quo in some way. And XEP-0345 is a good place

  149. Guus

    Agreed - I'd still like to review the feedback from the Last Call before I vote. I neglected doing that.

  150. MattJ

    Same

  151. nyco

    ok next item?

  152. nyco

    3. typo in deferred XEP

  153. nyco

    https://trello.com/c/U3OJ4sQx/328-clarify-what-happens-when-a-typo-or-equivalent-is-fixed-in-a-deferred-xep

  154. Guus

    I think we have a fix for that, and this trello card was only left for tracking that that fix got applied?

  155. Guus

    jonas’ - do you recall the details?

  156. Ge0rG

    It was decided upon in January

  157. MattJ

    "In today's board meeting, Board agrees wiath Jonas' suggested change, and ask the Editor to draft a proposal for the change in XEP-0001."

  158. jonas’

    Guus, yes... I should make a Pr

  159. jonas’

    buuuuuut .... -EBUSY

  160. Guus

    sure, no problem

  161. nyco

    looks weird to un-defer to re-defer later, can't we just let edition of deferred XEP, at least for archival purposes and probable later revival ?

  162. Guus

    just trying to recall if there's something for us to do here 🙂

  163. Guus

    nyco we already voted on this - do you really want to re-open the issue?

  164. Seve

    I have a question for you about that jonas’, would be possible to specify the equivalent? For instance I would like to update my contact information on a XEP, so I guess that falls into equivalent as well, but would be nice to have this specified

  165. jonas’

    Seve, sorry, -ENOCTX

  166. nyco

    nope, I'm fine, can't recall, sorry, was it a meeting I missed?

  167. Guus

    (yeah, you need to be slightly less nerdy for me to follow here 😛 )

  168. nyco

    4. Money

  169. nyco

    https://trello.com/c/1yN2GL4q/296-fundraising-and-financing

  170. MattJ

    Seve, I guess we can consider that when the PR is submitted

  171. Guus

    I think this boils down to a) there's general consensus that the XSF could use more money to 'do things' that stimulate XMPP, and b) we need to find sources of income.

  172. MattJ

    i.e. make sure the wording encompasses those kinds of changes

  173. MattJ

    Guus, right

  174. Guus

    we've previously established that from a finanicial point of view, the XSF is in good shape - but does not have much reserves to significantly spend on things

  175. Guus

    Maybe it's time to bury this card, and recreate one that says 'get sponsors' (which actually is hopefully a byproduct of the next card )

  176. nyco

    I'd say it's more of a continuous effort...

  177. Guus

    unless there's other topics related to 'fundraising and financing' that board wants to discuss

  178. MattJ

    Guus, that sounds like good progress

  179. nyco

    5. Define strategy to reach out to (and reap benefits) high profile XMPP applications/users.

  180. nyco

    https://trello.com/c/dGy6D0yl/334-define-strategy-to-reach-out-to-and-reap-benefits-high-profile-xmpp-applications-users

  181. Guus

    for various reasons, I feel that we should get in touch with high-profile XMPP applicators

  182. Ge0rG

    slightly related to this, Winfried wrote in his application <https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019> that he wanted to reach out to interesting XMPP deployments

  183. Guus

    1) they act as awesome showcases - which can be good for marketing

  184. Guus

    2) we can likely learn a lot from each-other - they can benefit from our resources, we can benefit from their expertise

  185. Guus

    3) some of these might be sponsor candidatesd

  186. Ge0rG

    Guus: it would be great to appriach the companies behind https://xmpp.org/uses/gaming and also to finish https://github.com/xsf/xmpp.org/issues/490

  187. Guus

    Ge0rG yes.

  188. Guus

    As we do not have an executive director anymore (who I'd think would be perfect for the reaching out), I think that it falls on board to figure out how to approach this.

  189. Guus

    which I suggests boils down to: "who do we contact?" and "what message do we want to convey?"

  190. Guus

    I have very little experience here, so I'm looking for input.

  191. Ge0rG

    Guus: also it's good to clarify who is "we"

  192. nyco

    our approach could be bottom-up, to start with, that is: we collect those data from member willing to share

  193. Guus

    Ge0rG to clarify, with 'we' I mean 'the XSF'

  194. Seve

    I don't see any other 'we' here

  195. Guus

    nyco what 'data' do you mean exactly?

  196. nyco

    use cases, verticals, numbers, values, benefits

  197. Ge0rG

    Guus: 'we' should be a volunteering person or maybe a small working team. SCAM or commteam might be a good fit.

  198. MattJ

    Guus, I think something winfried and I were discussing in Brussels... many of the people involved in the XSF are involved with various XMPP projects that don't necessarily get the exposure they deserve

  199. MattJ

    I'm sure some of them don't want to, but I'm also sure some of them do

  200. Ge0rG

    Winfried might be a good candidate if he happens to have time.

  201. Ge0rG

    I planned to ask him, but his server was down

  202. Guus

    I'm hearing the name "Winfried" a lot, so it makes sense to at least ask him if he is interested in taking point on this.

  203. Guus

    but I do wonder if the reaching-out bit should be done by an officer.

  204. Ge0rG

    Guus: according to his own words from four weeks ago, he is

  205. Guus

    as it's the beginning of potentially formal relationship?

  206. Seve

    When I applied for board I mentioned I would like to see what can we do about making companies advertise they use XMPP like they would do using any kind of framework or language for example, but I have no experience on this topic. But I don't think just a single person can manage all of this. From my point of view we should gather together like we do on this meetings and start bit by bit discussing how, what, etc.

  207. Ge0rG

    From https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019 - > I want to do more of those: go out there and interview the people behind interesting XMPP deployments and publish about them.

  208. nyco

    if we want exposure, we can do interviews 5 to 10 questions, always the same, send them to a project/product leader (dev, product, marketing, CEO, whatever), put them in shape, do a blog post, automatically post to Twitter (and more, if possible)

  209. MattJ

    Guus, my point is that many of us are already working with the people we're discussing

  210. MattJ

    and that's our easiest way into such users of XMPP

  211. MattJ

    rather than starting cold with high-profile users we've got no current routes into

  212. nyco

    Seve this is an itch I also would like to scratch

  213. Seve

    nyco, that's in my todo list, I wanted to reach to companies and do that kind of interviewing, so it is fair for everybody

  214. Seve

    But we need to talk a bit on what to ask, and so on

  215. Guus

    Many things at the same time: Ge0rG: good! nyco: that would be awesome, but I like to have more: not just an article, but active involvement. MattJ also, that's a good start, but I also want to find _new_ organisations.

  216. nyco

    I'm following you Seve

  217. MattJ

    Guus, you think the XSF knows all the current ones?

  218. nyco

    Guus article vs article involvment

  219. Guus

    nyco: much more than articles! I'd like them to eventually become members 🙂

  220. Guus

    but they're all good starts

  221. nyco

    Guus MattJ yes, hidden uses of XMPP are everywhere

  222. Guus

    MattJ no, definately not - and what you propose might be a good start.

  223. Guus

    This topic might warrant a meeting on its own

  224. Guus

    (also, we're running out of time - and I need to divert my attention soon)

  225. Seve

    Several even :D

  226. winfried

    Seve I already interviewed one and am in the process of finishing it, good to ream up

  227. Ge0rG

    winfried! \o/

  228. nyco

    Guus oh yeah, definitely, members rock though, I felt that many orgs follow the XSF, but do not wish to contribute/participate, for various reasons: not time, shyness, intimidating, too/only technical

  229. Guus

    Can we wrap up for today?

  230. MattJ

    nyco, also I've encountered some that didn't want their use of XMPP to be public knowledge

  231. nyco

    hey, we have passed the 16:00 mark, we should adjourn this meeting, who against that?

  232. MattJ

    +1

  233. Seve

    MattJ, interesting

  234. nyco

    Next ? +1W as usual ?

  235. MattJ

    wfm

  236. Ge0rG 's got another point for heated discussion, but will delay that by +1W

  237. Guus

    I'm fine with +1w

  238. nyco

    BANG

  239. Seve

    Sure +1

  240. nyco

    Thanks everybody! 😉

  241. MattJ

    Thanks nyco and all :)

  242. Seve

    Very nice to meet with you all!

  243. Guus

    Ge0rG curious, what was the topic?

  244. Guus

    I like to be prepared for next time 🙂

  245. Ge0rG

    Guus: it's related to the Jabber trademark.

  246. Guus

    your license was arranged, right?

  247. Guus

    so, different issue?

  248. Ge0rG

    Guus: right

  249. Guus

    kk

  250. Guus

    "looking forward to it"

  251. Guus

    😉

  252. MattJ

    :)

  253. zinid

    so XEP-CAR is postponed?

  254. zinid

    *EAX-CAR

  255. winfried

    Ge0rG: time to do some SSL debugging?

  256. Ge0rG

    winfried: do you mind running your domain through xmpp.net?

  257. winfried

    don't mind :-D

  258. MattJ

    zinid, yes, until next week

  259. zinid

    tl;dr? 😀

  260. MattJ

    Just so everyone can get a better understanding of what the responsibilities are

  261. zinid

    well, I'm just asking to run the url redirection, it's an experimental anyway

  262. MattJ

    Good to know

  263. zinid

    but of course I can just copy that CA/B Forum's insane requirements to the XEP so *nobody* will able to read it

  264. MattJ

    Can you give an example of an entity the redirect might go to?

  265. zinid

    MattJ, we're going to start the CA at process-one, that will be the first URL for redirection

  266. MattJ

    or... just maybe wait until I've read the other XEP, I'll probably understand more then :)

  267. MattJ

    Ok

  268. moparisthebest

    jonas’, Link Mauve: I'd say closest floss thing to Dropbox would be nextcloud or syncthing , I probably wouldn't want my xmpp client trying to reinvent that wheel...

  269. Link Mauve

    moparisthebest, does that mean you want it to be impossible to implement such a service?

  270. Link Mauve

    It doesn’t have to be your client.

  271. moparisthebest

    no of course not

  272. MattJ

    What advantages does using XMPP have here?

  273. moparisthebest

    just, to me, seems totally unsuited for XMPP

  274. winfried

    Ge0rG: https://xmpp.net/result.php?id=1452651 :-D

  275. Ge0rG

    winfried: so you only accept ECDSA and I reject ECDSA

  276. winfried

    Ge0rG: Got already a smelling suspicion....

  277. Ge0rG

    winfried: https://xmpp.net/result.php?domain=yax.im&type=server#ciphers

  278. Ge0rG

    winfried: is there a particular reason for ECDSA?

  279. Guus

    zinid can you share a link to the insane CA/B Forums requirements? 🙂

  280. zinid

    MattJ, for incident resolution we can just borrow formal rules developed by CA/B Forum, but I don't want to copy the whole requirements of CA/B Forum, they are too complex and this will prevent some OSS community to run any CA at all except a few companies with money

  281. Ge0rG

    Guus: https://cabforum.org/baseline-requirements-documents/

  282. Guus

    tx

  283. Link Mauve

    moparisthebest, getting notifications about things, and being able to manage things you already uploaded in some form over XMPP, doesn’t sound that unsuited to me.

  284. Link Mauve

    In the recent years, a lot of clients have started uploading files to their server for instance.

  285. zinid

    Guus, achtung, the document is very TL;DR 😀

  286. Link Mauve

    It would be useful to have a way to manage that, instead of an upload once, regret forever kind of thing.

  287. moparisthebest

    only to share links, synchronizing directory trees across computers is an entirely different ballgame

  288. goffi

    XMPP is absolutely suited for that, and I'm already on the way of doing something similar. XMPP brings its ecosystem (accounts, permissions, notifications, etc.)

  289. Link Mauve

    And that.

  290. Guus

    zinid aren't they always? 🙂

  291. zinid

    Guus, yeah, CA is hard

  292. winfried

    Ge0rG: must have been, but I don't remember anymore... ;-) I guess I may relax my ciphers a bit.

  293. Ge0rG

    winfried: you could use the recommendations from https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

  294. moparisthebest

    winfried, it doesn't look like cipher selection as much as you got an ecdsa key+certificate and not an RSA one ?

  295. Ge0rG

    you can get a pure ecdsa cert from public CAs?

  296. zinid

    Ge0rG, yes

  297. zinid

    Let's Encrypt may issue pure ECC cert

  298. Ge0rG

    and it won't do RSA based DH?

  299. zinid

    Ge0rG, no, ejabberd's ACME only supports ECC so far and LE doesn't complain

  300. Ge0rG

    zinid: so I won't be able to talk to any of the ejabberd self-ACMEd servers if I forbid ECDSA?

  301. zinid

    Ge0rG, yes, but that's a bug of ejabberd of course

  302. Ge0rG

    why are you even promoting that footgun?

  303. zinid

    I promote?

  304. zinid

    that was GSoC, and as any GSoC it sucks

  305. Ge0rG

    ECDSA is the most profoundly misdesigned crypto algorithm of the last decade or so

  306. zinid

    ah, you mean DSA?

  307. zinid

    sorry, I'm lost in terms

  308. zinid

    I thought you meant pure ECC cert (or how it's correctly called, i.e. not RSA)

  309. Ge0rG

    zinid: I'm speaking of the ECC based algorithms that are part of TLS

  310. zinid

    okay, then I don't know what you mean, I'm clueless

  311. moparisthebest

    Ge0rG, looks like you support all the ECDHE* algorithms and even prefer them though

  312. moparisthebest

    that's a different issue than ECDSA vs RSA certificates

  313. Ge0rG

    Okay, so I'm probably too stupid to follow my own advice.

  314. moparisthebest

    also TLS 1.3 called and said it ONLY supports ECDHE algorithms so, keep that in mind :)

  315. zinid

    ECDHE is something that only works with ECC certs, right?

  316. moparisthebest

    no

  317. zinid

    😀

  318. moparisthebest

    entirely seperate, things

  319. zinid

    okay

  320. moparisthebest

    for ECDSA vs RSA certificates, it's on my list of things to investigate, I *think* new nginx supports having both

  321. moparisthebest

    I'm *guessing* no XMPP server currently does

  322. zinid

    wtf is ECDSA certificate?

  323. zinid

    which is based on ECC private key or what?

  324. Zash

    moparisthebest: You can probably configure Prosody with that now, if you have bleeding edge LuaSec

  325. winfried

    Zash: interesting challenge :-)

  326. moparisthebest

    I think I'll try nginx first :P

  327. zinid

    according to wikipedia it seems like ECDSA cert is indeed a ECC cert

  328. zinid

    moparisthebest, haproxy supports the combo for sure

  329. zinid

    and we have some feature requests to support that in ejabberd

  330. moparisthebest

    but only useable with xep-0368 I'm guessing?

  331. zinid

    if you use front-end like haproxy? yes

  332. Zash

    moparisthebes, winfried: https://issues.prosody.im/809#comment-5

  333. moparisthebest

    awesome, maybe I will try that first then, thanks Zash

  334. winfried

    Zash moparisthebest checking right now with my SSL-supplier if I can get a second certificate....

  335. Ge0rG

    winfried: unfortunately my testssl is going very slow.

  336. Ge0rG

    winfried: is the cert the same as on your https://?

  337. moparisthebest

    winfried, not using letsencrypt?

  338. winfried

    Ge0rG: same as https://tilanus.com/ not the same as https://www.tilanus.com/

  339. Ge0rG

    winfried: one is a redirect to the other :>

  340. winfried

    Ge0rG: / yes

  341. Ge0rG

    winfried: anyway, I wanted to ping you regarding your promise in the Membership application. Can do that in public as well

  342. winfried

    Ge0rG: :-D

  343. Ge0rG

    winfried: it would be awesome if somebody could follow-up on https://github.com/xsf/xmpp.org/issues/490 and to contact the different teams behind the https://xmpp.org/uses/gaming items

  344. winfried

    Ge0rG: do you know if anybody has contacts to one of those groups?

  345. zinid

    Riot Games used to be our customer

  346. Ge0rG

    winfried: when I was collecting the links for the gaming section, I tried to find the most authoritative ones. If they don't list contacts, I don't have anything better unfortunately.

  347. zinid

    not sure how that promotes XMPP though, as the majority of them use highly customized XMPP servers

  348. zinid

    except maybe EVE online

  349. zinid

    for the record, EVE Online maintains their ejabberd branch at github

  350. zinid

    last time I checked they had very few changes from mainline

  351. Ge0rG

    zinid: is it wrong to run heavily patched servers?

  352. winfried

    Ge0rG: I would like to avoid making cold calls/doing research to find the right people, but I will be able to do so if needed...

  353. zinid

    Ge0rG, well, heavily patched means they patch the parts related to XMPP protocol, so basically they are not XMPP compliant

  354. zinid

    like WhatsApp for example

  355. zinid

    it's hard to call them XMPP

  356. winfried

    zinid: I call WhatsApp XMPP inspired, not an XMPP deployment...

  357. zinid

    winfried, we can call almost all of them this way

  358. zinid

    they start from XMPP and then diverge drastically

  359. zinid

    dropping all the bloat of XMPP

  360. Ge0rG

    winfried: I can understand that, yeah. But I don't know what would be a better way. Write a post on xmpp.org saying "Dear large scale deployments, please contact us for cross promotion"?

  361. winfried

    Ge0rG: yes, would be a nice way, also good to point to if I am making a cold call...

  362. Ge0rG

    winfried: this directly plugs into today's Board discussion, have a list of questions about the deployment.

  363. Ge0rG

    MattJ did a survey among xmpp developers recently.

  364. zinid

    what survey?

  365. winfried

    zinid: it is hard to draw a line when something is still XMPP or not, many private deployments extend or bend the protocol in some way. But some of them may still provide nice usecases for XMPP. But it would be good to stay critical about. (And some would be better of if they kept in closer contact with the XSF)

  366. winfried

    Ge0rG: I saw it, I answered it myself too ;-)

  367. winfried

    Ge0rG: There may be different projects here: a survey, liason and whitepapers

  368. Ge0rG

    zinid: https://goo.gl/forms/L1AKnTLXjIAfP27W2

  369. Ge0rG

    Not sure where the results landed

  370. MattJ

    Ge0rG, Prosody community != XMPP developers...

  371. MattJ

    The results landed somewhere where Zash has been nagging me to process them (the survey isn't officially closed yet)

  372. winfried

    (will be AFK for a while) Ge0rG, zash, I will try a ECDSA and a RSA cert side by side later today

  373. Ge0rG

    winfried: I'm pretty sure it's not about the cert but about the allowed ciphers

  374. Ge0rG

    But then again, I'm not an expert

  375. moparisthebest

    that's correct but the ciphers you can use depend on your cert

  376. moparisthebest

    ECDHE-RSA-AES256-GCM-SHA384

  377. moparisthebest

    that can only be used with an RSA cert

  378. winfried

    I checked my configuration, it should allow RSA

  379. winfried

    (really gone now)

  380. moparisthebest

    ECDHE-ECDSA-AES256-GCM-SHA384

  381. moparisthebest

    that can only be used with an ECDSA cert

  382. Ge0rG

    But you can use ECDSA with an RSA cert?

  383. moparisthebest

    those are different things though

  384. moparisthebest

    gah I wish I knew the term, there is the certificate part, then the key exchange part, then the encription part

  385. moparisthebest

    also wish I could spell haha, encryption*

  386. Ge0rG

    LMC to the rescue!

  387. zinid

    > And some would be better of if they kept in closer contact with the XSF I'm not sure they are interested, they don't think in terms of the protocol, just like when you deploy an HTTP server you don't go in contact with the corresponding standards body

  388. moparisthebest

    don't think dino does that yet, or I don't know the spell to invoke it

  389. MattJ

    zinid, I tend to agree. I think XMPP is useful for many of them to bootstrap, but they don't necessarily need federation or interoperability

  390. MattJ

    Even if both those things would generally be considered good by most people here, they do come at a cost, so I see why they get dropped easily

  391. MattJ

    We should still make contact with though, I think having communication with them can be good, even if we fail

  392. zinid

    MattJ, they also choose a solution, among others, so this is nothing to do with the protocol. I just know how they think, we talked to them a lot, for example, with Belkin (former Linksys). BTW, they run 2M IoT devices on their cluster (just in case, it's not mentioned by the XSF iot cases page)

  393. zinid

    and solution typically means "how much money"

  394. Ge0rG

    zinid: is Belkin documented anywhere in the public?

  395. zinid

    Ge0rG, yes, but I'm not sure they want to reveal their capacity

  396. zinid

    https://fluux.io/clients

  397. zinid

    they only allowed us to mention them as a client

  398. zinid

    *a customer

  399. Ge0rG

    zinid: this is what I meant by "in the public"

  400. zinid

    what exactly? The fact that they use XMPP? Or their capacity?

  401. zinid

    although, it's hard to call that XMPP, they just send encapsulated JSON and use XMPP as a streaming transport only. We try to convince them to MQTT instead.

  402. zinid

    *to use MQTT

  403. zinid

    as MQTT requires far less resources, we can shrink cluster capacity twice or so

  404. Ge0rG

    zinid: the fact that they are using XMPP. That would be a good mention for the IoT page

  405. zinid

    well, it's up to you of course, but my view is that XMPP is something about federation, and this is where "the community" fails miserably, I think there are less than a million of users using federated XMPP

  406. zinid

    in the sense that the XSF spends so much time to produce federated protocols (the compliance suite is an example), but the largest user base is located at walled gardens of quasi XMPP

  407. Ge0rG

    zinid: I'm speaking of XMPP the protocol, not Jabber the IM network

  408. zinid

    well, I clarified what I mean

  409. pep.

    Re CABF, can XSF members not infiltrate it? :p What do you need to get in? money?

  410. Zash

    Be a browser or a CA I guess?

  411. Ge0rG

    pep.: excellent question. There was a discussion about xmpp srv-id already some years ago. But it seems to not have led anywhere

  412. pep.

    Ge0rG, yeah I remember that thread

  413. pep.

    Do we have a clear set of changes we want to bring to that document?

  414. pep.

    Then we'd need to invest time in politics a bit

  415. Ge0rG

    pep.: we should at least demand that SRV id are not forbidden in SAN

  416. Ge0rG

    I'm not sure what the state of art is in xmppAddr fields.

  417. Ge0rG

    It would be awesome if we could ask a public CA for a cert that only contains an srvId for an xmpp server. That would allow secure delegation of your xmpp to a service provider without letting them impersonate your webshits

  418. Ge0rG

    Not that web security was in a good shape.

  419. pep.

    I'd also like to be able to be able to set another Key Usage

  420. pep.

    (X509v3 Extended Key Usage)

  421. Ge0rG

    pep.: what exactly do you want to have there

  422. pep.

    _not_ Web

  423. pep.

    For a start

  424. Ge0rG

    pep.: https://github.com/letsencrypt/boulder/issues/1309

  425. pep.

    Yeah I know that issue

  426. pep.

    And we need to do something about it now, because LE is not going to

  427. pep.

    But it's not just about SRV id in SANs, it's also that Key Usage

  428. pep.

    i.e., s/TlS Web Server Authentication/TLS Server Authentication/

  429. pep.

    Or even s/Web/XMPP/

  430. moparisthebest

    Ge0rG, pep. , or we could push for DNSSEC + DANE ?

  431. moparisthebest

    that way you control what key is valid for what server+port via DNS

  432. moparisthebest

    seems better and more doable than getting CAs to do anything

  433. Wiktor

    moparisthebest, you can specify multiple certs in nginx since 1.11, it's desinged to be used in RSA+ECDSA scenarios, see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

  434. Wiktor

    note that even though Let's Encrypt will issue ECDSA cert it will be signed by their RSA intermediate cert, they don't (yet) have full ECDSA chain: https://letsencrypt.org/upcoming-features/

  435. moparisthebest

    ah thanks, I thought I remembered them adding support for that I just haven't gotten around to it yet

  436. Wiktor

    👍️

  437. pep.

    moparisthebest, that's orthogonal. Even though I agree we could focus our efforts on one thing, but then I'm not sure which one to do. I remember daniel having criticism against dnssec, or the deployment (middle boxes) in germany or sth, but I don't remember the details

  438. Ge0rG

    moparisthebest [19:57]: > Ge0rG, pep. , or we could push for DNSSEC + DANE ? I'm sure that 2019 will be the year of DNSSEC. Especially for the IM TLD

  439. pep.

    Yeah and that..

  440. moparisthebest

    all new domains since, idk, 2012 or something have DNSSEC support

  441. pep.

    not .im no

  442. moparisthebest

    I'd argue any domain having right now supports it, maybe it's time to abandon .im

  443. pep.

    not im. no

  444. moparisthebest

    that's not a new one

  445. pep.

    Ah right my bad. Well in the meantime..

  446. moparisthebest

    oh, I missed a word haha

  447. moparisthebest

    I'd argue any domain worth having right now supports it, maybe it's time to abandon .im

  448. pep.

    I always verify the tld supports it before I buy anything fwiw

  449. Ge0rG

    It'll be another decade until all DNS servers support it.

  450. moparisthebest

    I still can't find the link I wanted but the gtld's, all the new fancy ones, must have DNSSEC support

  451. moparisthebest

    all DNS servers support it now? maybe you mean all TLDs ?

  452. Ge0rG

    Just this week I had a problem with Telekom DNS server returning ServFail for a non existent SRV record on a DNSSEC signed domain... after a 3s delay!

  453. Ge0rG

    moparisthebest: I'm speaking of resolvers out there in the wils

  454. Ge0rG

    moparisthebest: I'm speaking of resolvers out there in the wild

  455. Ge0rG

    Some CPE routers still fail at SRV altogether

  456. moparisthebest

    those are already dead https://dnsflagday.net/

  457. Ge0rG

    On yax.im I've got 10-15% of non SRV clients

  458. moparisthebest

    I give it about another year before 99.9% of the DNS requests are via HTTPS anyway

  459. moparisthebest

    and all those support DNSSEC etc

  460. !xsf_Martin

    Please tell me when he’s done flooding with part/join, so I can take back my normal nick.

  461. Ge0rG

    yax.im: Serious problem detected! This domain will face issues after February 1st 2019!

  462. pep.

    !xsf_Martin, how are we supposed to see now? :p

  463. pep.

    xml_tab?

  464. pep.

    Not even, that wouldn't get to me

  465. Link Mauve

    Seems fixed.

  466. Ge0rG

    You need to see presence changes to understand the context, right?

  467. pep.

    indeed

  468. pep.

    Who do I need to ping again to appear in planet jabber? ralphm?

  469. winfried

    moparisthebest Ge0rG: to resolve the discussion: at Prosody, with an ECDHE certificate it accepts only incoming ECDHE connections, with an RSA certificate only RSA connections

  470. Ge0rG

    That's... unfortunate.

  471. dwd

    pep., ralphm, indeed. Maybe intosi can help, I don't know.

  472. dwd

    moparisthebest, I do hope we don't end up with DoH everywhere. The ramifications of that scare me badly.

  473. moparisthebest

    winfried, I mean that's not prosody specific, that's universal TLS (assuming you meant ECDSA instead of ECDHE)

  474. moparisthebest

    dwd, too late, I think it's the default on latest android?

  475. moparisthebest

    also enable-able in firefox

  476. dwd

    moparisthebest, All the DNS data going through Google, is it?

  477. dwd

    moparisthebest, And no doubt it's for our own good, of course.

  478. moparisthebest

    I would guess by default yes :'(

  479. Ge0rG

    Google and Clownflare

  480. winfried

    moparisthebest: I also assume it is universal, but I just tested it on prosody

  481. Ge0rG

    Using Google DNS is already a reality on my Samsung phone

  482. moparisthebest

    winfried, but did you try both?

  483. dwd

    winfried, OpenSSL, at least, can accept multiple cert/key pairs, and if given both it'll use whichever fits the ciphers requested.

  484. winfried

    moparisthebest: yes, I tried both

  485. moparisthebest

    I run my own though, which randomly picks from a list of upstream DNS servers, and proxies over tor, so I like dns-over-tls (and dns-over-https) sorry for shameless plug https://github.com/moparisthebest/jDnsProxy

  486. winfried

    winfried: 100% guarantee, the key I select, the cipher I get :-D

  487. winfried

    dwd: I know, but I am trying to get prosody talking both, no success so far.

  488. winfried

    diving into the debugging logs right now

  489. winfried

    Zash: I tried https://issues.prosody.im/809#comment-5 no luck, it picks only the ec certificate like that. I tried to verify I really got the right version of luasec (installed the dev version locally, ahead in the path of the regular/package manager one) but I am not 100% sure it picked the right one.