-
vanitasvitae
Nice, the XSF got selected for GSoC :)
-
Guus
Yes!
-
Seve
\o/!
-
jonas’
\o/
-
rion
seems like xep-0214 depends on deprecated xep-0137. Probably it has to be updated or deprecated too.
-
rion
we were just thinking on support@j.ru how to make file storage management for http upload.
-
Wiktor
vanitasvitae: is there a list of topics?
-
Link Mauve
rion, there is also XEP-0329, which depends on XEP-0234 instead.
-
Link Mauve
Those two are part of my list of deferred XEPs to look at and either revive or deprecate, but there was some opposition to deprecating a deferred XEP recently.
-
Andrew Nenakhov
Xep 214 is a bad idea that will end in pubsubfs, not that we're looking into
-
rion
Link Mauve: 329 looks good to me, thanks. and it can be combined with http jingle transport.
-
Link Mauve
Yup.
-
Link Mauve
I think goffi has another implementation of it.
-
Link Mauve
He demo’d it at the Summit.
-
Link Mauve
Andrew Nenakhov, being able to subscribe to a node mapping to a directory sounds useful though.
-
Link Mauve
The 0329 can’t be used for a dropbox-like, or even any notification.
-
vanitasvitae
Wiktor: in the xmpp wiki
-
Wiktor
vanitasvitae: kthx
-
goffi
indeed I have an implementation of XEP-0329, I'm pretty happy with it.
-
goffi
I've made a quick evaluation of various options, I've chosen this one because it's working and simple.
-
goffi
Link Mauve: while it can't be used for dropbox like?
-
goffi
s/while/why/
-
Link Mauve
goffi, how do you subscribe to files being added or removed or changed?
-
goffi
Link Mauve: is this needed for dropbrox like?
-
goffi
(note that I've never used dropbox)
-
Link Mauve
goffi, Dropbox is a software you install on your computer, which provides you a fuse(-like?) interface to mount a remote directory.
-
Link Mauve
Then when anyone puts files there, they will be downloaded on your computer.
-
Link Mauve
Or something like that.
-
Link Mauve
I haven’t used it either, but I’ve heard people talk about it.
-
Zash
It lets the cloud put files on your computer. Probably.
-
jonas’
I think the closest FLOSS thing is Sparkleshare
-
jonas’
or Seafile
-
jonas’
so if you want to check out the UX, go to those projects
-
jonas’
although sparkleshare in particular was pretty bad when I tested it the last time
-
nyco
hi
-
Guus
Hello
-
Link Mauve
jonas’, yes, it is.
-
Link Mauve
Also unmaintained.
-
goffi
Link Mauve: to looks for files on a server (my current use case), XEP-0329 is enough and working well. To subscribe to a directory or a file it would need to be extended, but I think it can be done quite cleanly with references.
- Link Mauve now shuts up and lets board do boardy things.
-
Guus
Seve ralphm MattJ shall we meet?
-
Link Mauve
goffi, XEP-0214 did that already.
-
goffi
yes, but it's overcomplicated in my opinion
-
nyco
to all, my apologies for last week, as I did not join, and did not tell...
-
Guus
I think you did?
-
Guus
or was that the week before? I was not here last week myself.
-
Guus
anyways. you are forgiven. 🙂
-
Guus
... did these guys find another place to meet while we were gone?
-
MattJ
Hey
-
Guus
ola!
-
Seve
Hi! My bad
-
MattJ
Sorry, had a delivery arrive just as the meeting began :)
-
MattJ
Just missing ralphm?
-
Guus
That's generally when delivery guys show up at my door too. Mostly for neighbors, too.
-
Guus
yes
-
nyco
a softer way of swatting?
-
Guus
perhaps 🙂
-
nyco
https://trello.com/b/Dn6IQOu0/board-meetings
- Guus hands a gavel to nyco
- nyco tries to catch it on the fly
-
nyco
BANG
-
nyco
Minute taker, who are you today?
-
nyco
so we have Seve, Matt, Guus, and me, only Ralph is missing
-
nyco
we have 2 topics for decision: * E2E CA req * membership application commitment: * typo in deferred XEP discussion: * money, money, money * reach out high profile users * badge designer
-
nyco
let's start ?
-
nyco
1. E2E
-
nyco
file:///Users/nyco/code/converse.js/fullscreen.html
-
nyco
oops
-
nyco
https://trello.com/c/JIVSMPah/336-e2e-authentication-in-xmpp-ca-requirements
-
nyco
<you know my client now>
-
Guus
are you typing a lot in one message, or do I have delays?
-
nyco
maybe the weather
-
Guus
that's possible 🙂
-
Guus
wifi is acting up 🙂
-
Guus
I must admit I've not yet taken the time to study the E2E protoxep
-
nyco
so I have no clue of this item, too tech for me, I hand over to <who>?
-
MattJ
Yeah, I need more time to review it
-
nyco
so what's neede here?
-
nyco
so what's needed here?
-
Guus
It seems two-prone, at least.
-
Ge0rG
If this is the CA part of the recently rejected XOR proto-XEP, it's about the XSF running a CA
-
nyco
so what's needed from the Board here?
-
nyco
oh ok
-
Guus
I'm assuming that this is brought before board, because it defines XSF-organisational requirements?
-
jonas’
there is a separate ProtoXEP for that
-
Link Mauve
Ge0rG, it has been accepted, hasn’t it?
-
jonas’
https://xmpp.org/extensions/inbox/eax-car.html
-
Guus
In our trello boad, this is linked: https://xmpp.org/extensions/inbox/eax-car.html
-
jonas’
ha!
-
nyco
https://xmpp.org/extensions/inbox/eax.html https://xmpp.org/extensions/inbox/eax-car.html
-
jonas’
now we have it linked thrice
-
MattJ
The stated requirements for the XSF seem trivial enough as specified, but I'm not sure what the wider context is here
- nyco feels there is lag indeed
-
jonas’
the eax.html is Standards Track and has been handled by Board
-
jonas’
but it’s useful context
-
jonas’
more context is in xor.html
-
MattJ
What root CAs are we supposed to redirect to? Is there some vetting to be done? etc. - I need to read it more
-
Seve
Same here as the rest
-
MattJ
and why isn't relying on normal trust anchors enough? E.g. Mozilla's
-
nyco
are we able to do this?
-
Guus
Also - this introduces the XSF as a single source of truth
-
MattJ
So let's punt on this for the moment, understand it more and discuss next week
-
Guus
which somehwat clashes with doing things distributed/federated - unsure if that can be helped here (I must read more, as a wise man just said), but it's bound to raise brows.
-
Ge0rG
MattJ: normal CAs are forbidden to issue non-web certificates, essentially, by CA/Browser Forum rules
-
Ge0rG
(which is something the XSF Board might well be able to address, in a proper formal inquiry to the CABF)
-
nyco
if there is a CA, there are many ICA ?
-
nyco
which is more decentralised, still as a pyramid
-
jonas’
kind of like how DNSSEC works
-
Guus
Ge0rG is that an alternative approach than the one suggested in the XEP?
-
nyco
a blockain-based CA? wait no
-
Ge0rG
Guus: no, it's completely orthogonal. I haven't had the time to read _this_ incarnation of the XEP either
-
Guus
Ge0rG ok thanks
-
Seve
I think there are too many questions on this one :)
-
Guus
as MattJ suggested, lets kick this can down the road for a week.
-
MattJ
+1
-
Guus
(and do some reading)
-
nyco
2. XEP-0345 (Form of Membership Applications)
-
nyco
card without description, what's needed from the board?
-
nyco
https://xmpp.org/extensions/xep-0345.html
-
MattJ
Who added it?
-
Guus
approval.
-
Ge0rG
nyco: it's a procedural XEP that needs to be decided upon
-
nyco
ok
-
Ge0rG
So Board shoul decide whether it shall be accepted or not.
-
nyco
so I feel like emil, jid, affiliations and name are not enough can we add things like values, objectives, past contributions?
-
Guus
I only now see that there was feedback in the Last Call
-
MattJ
nyco, I think that's up to the candidate to add as much as they want to share to be accepted
-
Seve
I would have wanted that to be a discussion topic maybe? And then decide something about it.
-
MattJ
I don't think we need to make those things mandatory in a formal document
-
nyco
mandatory no, but as an option
-
nyco
rather a suggestion
-
Guus
MattJ didn't you raise an example of someone having 'valid' reasons for wanting to apply anonymously?
-
Guus
although we shot down applying anonymously before, your example might warrant to re-address that
-
MattJ
Possibly so
-
Guus
I think you were going to see if said person would be willing to provide details?
-
Guus
Do you recall who I'm talking of? You weren't specific.
-
MattJ
There is a slight difference between being an anonymous member and having your details being known only to the Secretary
-
Guus
If that's still ongoing, I'd like to have that information before voting on XEP-0345.
-
MattJ
Yes, I recall the conversation, I need to follow up
-
Ge0rG
I've recently brought up the anonymity question, and by now told the respective user that it's not an option.
-
jonas’
did you also tell them that contributing to standards etc. is very much possible without being a member?
-
MattJ
Ge0rG, iirc that was before the summit, where we had some in-person discussions about how we may improve the process
-
Guus
Ge0rG which is what we decided on.
-
MattJ
The decision still holds
-
MattJ
We /may/ be able to change the way we do things, and we /may/ decide to do that
-
MattJ
and that may or may not be enough for these people who want to remain anonymous
-
Guus
(what he said - my choice of words was poor)
-
Ge0rG
But you SHOULD document the current status quo in some way. And XEP-0345 is a good place
-
Guus
Agreed - I'd still like to review the feedback from the Last Call before I vote. I neglected doing that.
-
MattJ
Same
-
nyco
ok next item?
-
nyco
3. typo in deferred XEP
-
nyco
https://trello.com/c/U3OJ4sQx/328-clarify-what-happens-when-a-typo-or-equivalent-is-fixed-in-a-deferred-xep
-
Guus
I think we have a fix for that, and this trello card was only left for tracking that that fix got applied?
-
Guus
jonas’ - do you recall the details?
-
Ge0rG
It was decided upon in January
-
MattJ
"In today's board meeting, Board agrees wiath Jonas' suggested change, and ask the Editor to draft a proposal for the change in XEP-0001."
-
jonas’
Guus, yes... I should make a Pr
-
jonas’
buuuuuut .... -EBUSY
-
Guus
sure, no problem
-
nyco
looks weird to un-defer to re-defer later, can't we just let edition of deferred XEP, at least for archival purposes and probable later revival ?
-
Guus
just trying to recall if there's something for us to do here 🙂
-
Guus
nyco we already voted on this - do you really want to re-open the issue?
-
Seve
I have a question for you about that jonas’, would be possible to specify the equivalent? For instance I would like to update my contact information on a XEP, so I guess that falls into equivalent as well, but would be nice to have this specified
-
jonas’
Seve, sorry, -ENOCTX
-
nyco
nope, I'm fine, can't recall, sorry, was it a meeting I missed?
-
Guus
(yeah, you need to be slightly less nerdy for me to follow here 😛 )
-
nyco
4. Money
-
nyco
https://trello.com/c/1yN2GL4q/296-fundraising-and-financing
-
MattJ
Seve, I guess we can consider that when the PR is submitted
-
Guus
I think this boils down to a) there's general consensus that the XSF could use more money to 'do things' that stimulate XMPP, and b) we need to find sources of income.
-
MattJ
i.e. make sure the wording encompasses those kinds of changes
-
MattJ
Guus, right
-
Guus
we've previously established that from a finanicial point of view, the XSF is in good shape - but does not have much reserves to significantly spend on things
-
Guus
Maybe it's time to bury this card, and recreate one that says 'get sponsors' (which actually is hopefully a byproduct of the next card )
-
nyco
I'd say it's more of a continuous effort...
-
Guus
unless there's other topics related to 'fundraising and financing' that board wants to discuss
-
MattJ
Guus, that sounds like good progress
-
nyco
5. Define strategy to reach out to (and reap benefits) high profile XMPP applications/users.
-
nyco
https://trello.com/c/dGy6D0yl/334-define-strategy-to-reach-out-to-and-reap-benefits-high-profile-xmpp-applications-users
-
Guus
for various reasons, I feel that we should get in touch with high-profile XMPP applicators
-
Ge0rG
slightly related to this, Winfried wrote in his application <https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019> that he wanted to reach out to interesting XMPP deployments
-
Guus
1) they act as awesome showcases - which can be good for marketing
-
Guus
2) we can likely learn a lot from each-other - they can benefit from our resources, we can benefit from their expertise
-
Guus
3) some of these might be sponsor candidatesd
-
Ge0rG
Guus: it would be great to appriach the companies behind https://xmpp.org/uses/gaming and also to finish https://github.com/xsf/xmpp.org/issues/490
-
Guus
Ge0rG yes.
-
Guus
As we do not have an executive director anymore (who I'd think would be perfect for the reaching out), I think that it falls on board to figure out how to approach this.
-
Guus
which I suggests boils down to: "who do we contact?" and "what message do we want to convey?"
-
Guus
I have very little experience here, so I'm looking for input.
-
Ge0rG
Guus: also it's good to clarify who is "we"
-
nyco
our approach could be bottom-up, to start with, that is: we collect those data from member willing to share
-
Guus
Ge0rG to clarify, with 'we' I mean 'the XSF'
-
Seve
I don't see any other 'we' here
-
Guus
nyco what 'data' do you mean exactly?
-
nyco
use cases, verticals, numbers, values, benefits
-
Ge0rG
Guus: 'we' should be a volunteering person or maybe a small working team. SCAM or commteam might be a good fit.
-
MattJ
Guus, I think something winfried and I were discussing in Brussels... many of the people involved in the XSF are involved with various XMPP projects that don't necessarily get the exposure they deserve
-
MattJ
I'm sure some of them don't want to, but I'm also sure some of them do
-
Ge0rG
Winfried might be a good candidate if he happens to have time.
-
Ge0rG
I planned to ask him, but his server was down
-
Guus
I'm hearing the name "Winfried" a lot, so it makes sense to at least ask him if he is interested in taking point on this.
-
Guus
but I do wonder if the reaching-out bit should be done by an officer.
-
Ge0rG
Guus: according to his own words from four weeks ago, he is
-
Guus
as it's the beginning of potentially formal relationship?
-
Seve
When I applied for board I mentioned I would like to see what can we do about making companies advertise they use XMPP like they would do using any kind of framework or language for example, but I have no experience on this topic. But I don't think just a single person can manage all of this. From my point of view we should gather together like we do on this meetings and start bit by bit discussing how, what, etc.
-
Ge0rG
From https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019 - > I want to do more of those: go out there and interview the people behind interesting XMPP deployments and publish about them.
-
nyco
if we want exposure, we can do interviews 5 to 10 questions, always the same, send them to a project/product leader (dev, product, marketing, CEO, whatever), put them in shape, do a blog post, automatically post to Twitter (and more, if possible)
-
MattJ
Guus, my point is that many of us are already working with the people we're discussing
-
MattJ
and that's our easiest way into such users of XMPP
-
MattJ
rather than starting cold with high-profile users we've got no current routes into
-
nyco
Seve this is an itch I also would like to scratch
-
Seve
nyco, that's in my todo list, I wanted to reach to companies and do that kind of interviewing, so it is fair for everybody
-
Seve
But we need to talk a bit on what to ask, and so on
-
Guus
Many things at the same time: Ge0rG: good! nyco: that would be awesome, but I like to have more: not just an article, but active involvement. MattJ also, that's a good start, but I also want to find _new_ organisations.
-
nyco
I'm following you Seve
-
MattJ
Guus, you think the XSF knows all the current ones?
-
nyco
Guus article vs article involvment
-
Guus
nyco: much more than articles! I'd like them to eventually become members 🙂
-
Guus
but they're all good starts
-
nyco
Guus MattJ yes, hidden uses of XMPP are everywhere
-
Guus
MattJ no, definately not - and what you propose might be a good start.
-
Guus
This topic might warrant a meeting on its own
-
Guus
(also, we're running out of time - and I need to divert my attention soon)
-
Seve
Several even :D
-
winfried
Seve I already interviewed one and am in the process of finishing it, good to ream up
-
Ge0rG
winfried! \o/
-
nyco
Guus oh yeah, definitely, members rock though, I felt that many orgs follow the XSF, but do not wish to contribute/participate, for various reasons: not time, shyness, intimidating, too/only technical
-
Guus
Can we wrap up for today?
-
MattJ
nyco, also I've encountered some that didn't want their use of XMPP to be public knowledge
-
nyco
hey, we have passed the 16:00 mark, we should adjourn this meeting, who against that?
-
MattJ
+1
-
Seve
MattJ, interesting
-
nyco
Next ? +1W as usual ?
-
MattJ
wfm
- Ge0rG 's got another point for heated discussion, but will delay that by +1W
-
Guus
I'm fine with +1w
-
nyco
BANG
-
Seve
Sure +1
-
nyco
Thanks everybody! 😉
-
MattJ
Thanks nyco and all :)
-
Seve
Very nice to meet with you all!
-
Guus
Ge0rG curious, what was the topic?
-
Guus
I like to be prepared for next time 🙂
-
Ge0rG
Guus: it's related to the Jabber trademark.
-
Guus
your license was arranged, right?
-
Guus
so, different issue?
-
Ge0rG
Guus: right
-
Guus
kk
-
Guus
"looking forward to it"
-
Guus
😉
-
MattJ
:)
-
zinid
so XEP-CAR is postponed?
-
zinid
*EAX-CAR
-
winfried
Ge0rG: time to do some SSL debugging?
-
Ge0rG
winfried: do you mind running your domain through xmpp.net?
-
winfried
don't mind :-D
-
MattJ
zinid, yes, until next week
-
zinid
tl;dr? 😀
-
MattJ
Just so everyone can get a better understanding of what the responsibilities are
-
zinid
well, I'm just asking to run the url redirection, it's an experimental anyway
-
MattJ
Good to know
-
zinid
but of course I can just copy that CA/B Forum's insane requirements to the XEP so *nobody* will able to read it
-
MattJ
Can you give an example of an entity the redirect might go to?
-
zinid
MattJ, we're going to start the CA at process-one, that will be the first URL for redirection
-
MattJ
or... just maybe wait until I've read the other XEP, I'll probably understand more then :)
-
MattJ
Ok
-
moparisthebest
jonas’, Link Mauve: I'd say closest floss thing to Dropbox would be nextcloud or syncthing , I probably wouldn't want my xmpp client trying to reinvent that wheel...
-
Link Mauve
moparisthebest, does that mean you want it to be impossible to implement such a service?
-
Link Mauve
It doesn’t have to be your client.
-
moparisthebest
no of course not
-
MattJ
What advantages does using XMPP have here?
-
moparisthebest
just, to me, seems totally unsuited for XMPP
-
winfried
Ge0rG: https://xmpp.net/result.php?id=1452651 :-D
-
Ge0rG
winfried: so you only accept ECDSA and I reject ECDSA
-
winfried
Ge0rG: Got already a smelling suspicion....
-
Ge0rG
winfried: https://xmpp.net/result.php?domain=yax.im&type=server#ciphers
-
Ge0rG
winfried: is there a particular reason for ECDSA?
-
Guus
zinid can you share a link to the insane CA/B Forums requirements? 🙂
-
zinid
MattJ, for incident resolution we can just borrow formal rules developed by CA/B Forum, but I don't want to copy the whole requirements of CA/B Forum, they are too complex and this will prevent some OSS community to run any CA at all except a few companies with money
-
Ge0rG
Guus: https://cabforum.org/baseline-requirements-documents/
-
Guus
tx
-
Link Mauve
moparisthebest, getting notifications about things, and being able to manage things you already uploaded in some form over XMPP, doesn’t sound that unsuited to me.
-
Link Mauve
In the recent years, a lot of clients have started uploading files to their server for instance.
-
zinid
Guus, achtung, the document is very TL;DR 😀
-
Link Mauve
It would be useful to have a way to manage that, instead of an upload once, regret forever kind of thing.
-
moparisthebest
only to share links, synchronizing directory trees across computers is an entirely different ballgame
-
goffi
XMPP is absolutely suited for that, and I'm already on the way of doing something similar. XMPP brings its ecosystem (accounts, permissions, notifications, etc.)
-
Link Mauve
And that.
-
Guus
zinid aren't they always? 🙂
-
zinid
Guus, yeah, CA is hard
-
winfried
Ge0rG: must have been, but I don't remember anymore... ;-) I guess I may relax my ciphers a bit.
-
Ge0rG
winfried: you could use the recommendations from https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
-
moparisthebest
winfried, it doesn't look like cipher selection as much as you got an ecdsa key+certificate and not an RSA one ?
-
Ge0rG
you can get a pure ecdsa cert from public CAs?
-
zinid
Ge0rG, yes
-
zinid
Let's Encrypt may issue pure ECC cert
-
Ge0rG
and it won't do RSA based DH?
-
zinid
Ge0rG, no, ejabberd's ACME only supports ECC so far and LE doesn't complain
-
Ge0rG
zinid: so I won't be able to talk to any of the ejabberd self-ACMEd servers if I forbid ECDSA?
-
zinid
Ge0rG, yes, but that's a bug of ejabberd of course
-
Ge0rG
why are you even promoting that footgun?
-
zinid
I promote?
-
zinid
that was GSoC, and as any GSoC it sucks
-
Ge0rG
ECDSA is the most profoundly misdesigned crypto algorithm of the last decade or so
-
zinid
ah, you mean DSA?
-
zinid
sorry, I'm lost in terms
-
zinid
I thought you meant pure ECC cert (or how it's correctly called, i.e. not RSA)
-
Ge0rG
zinid: I'm speaking of the ECC based algorithms that are part of TLS
-
zinid
okay, then I don't know what you mean, I'm clueless
-
moparisthebest
Ge0rG, looks like you support all the ECDHE* algorithms and even prefer them though
-
moparisthebest
that's a different issue than ECDSA vs RSA certificates
-
Ge0rG
Okay, so I'm probably too stupid to follow my own advice.
-
moparisthebest
also TLS 1.3 called and said it ONLY supports ECDHE algorithms so, keep that in mind :)
-
zinid
ECDHE is something that only works with ECC certs, right?
-
moparisthebest
no
-
zinid
😀
-
moparisthebest
entirely seperate, things
-
zinid
okay
-
moparisthebest
for ECDSA vs RSA certificates, it's on my list of things to investigate, I *think* new nginx supports having both
-
moparisthebest
I'm *guessing* no XMPP server currently does
-
zinid
wtf is ECDSA certificate?
-
zinid
which is based on ECC private key or what?
-
Zash
moparisthebest: You can probably configure Prosody with that now, if you have bleeding edge LuaSec
-
winfried
Zash: interesting challenge :-)
-
moparisthebest
I think I'll try nginx first :P
-
zinid
according to wikipedia it seems like ECDSA cert is indeed a ECC cert
-
zinid
moparisthebest, haproxy supports the combo for sure
-
zinid
and we have some feature requests to support that in ejabberd
-
moparisthebest
but only useable with xep-0368 I'm guessing?
-
zinid
if you use front-end like haproxy? yes
-
Zash
moparisthebes, winfried: https://issues.prosody.im/809#comment-5
-
moparisthebest
awesome, maybe I will try that first then, thanks Zash
-
winfried
Zash moparisthebest checking right now with my SSL-supplier if I can get a second certificate....
-
Ge0rG
winfried: unfortunately my testssl is going very slow.
-
Ge0rG
winfried: is the cert the same as on your https://?
-
moparisthebest
winfried, not using letsencrypt?
-
winfried
Ge0rG: same as https://tilanus.com/ not the same as https://www.tilanus.com/
-
Ge0rG
winfried: one is a redirect to the other :>
-
winfried
Ge0rG: / yes
-
Ge0rG
winfried: anyway, I wanted to ping you regarding your promise in the Membership application. Can do that in public as well
-
winfried
Ge0rG: :-D
-
Ge0rG
winfried: it would be awesome if somebody could follow-up on https://github.com/xsf/xmpp.org/issues/490 and to contact the different teams behind the https://xmpp.org/uses/gaming items
-
winfried
Ge0rG: do you know if anybody has contacts to one of those groups?
-
zinid
Riot Games used to be our customer
-
Ge0rG
winfried: when I was collecting the links for the gaming section, I tried to find the most authoritative ones. If they don't list contacts, I don't have anything better unfortunately.
-
zinid
not sure how that promotes XMPP though, as the majority of them use highly customized XMPP servers
-
zinid
except maybe EVE online
-
zinid
for the record, EVE Online maintains their ejabberd branch at github
-
zinid
last time I checked they had very few changes from mainline
-
Ge0rG
zinid: is it wrong to run heavily patched servers?
-
winfried
Ge0rG: I would like to avoid making cold calls/doing research to find the right people, but I will be able to do so if needed...
-
zinid
Ge0rG, well, heavily patched means they patch the parts related to XMPP protocol, so basically they are not XMPP compliant
-
zinid
like WhatsApp for example
-
zinid
it's hard to call them XMPP
-
winfried
zinid: I call WhatsApp XMPP inspired, not an XMPP deployment...
-
zinid
winfried, we can call almost all of them this way
-
zinid
they start from XMPP and then diverge drastically
-
zinid
dropping all the bloat of XMPP
-
Ge0rG
winfried: I can understand that, yeah. But I don't know what would be a better way. Write a post on xmpp.org saying "Dear large scale deployments, please contact us for cross promotion"?
-
winfried
Ge0rG: yes, would be a nice way, also good to point to if I am making a cold call...
-
Ge0rG
winfried: this directly plugs into today's Board discussion, have a list of questions about the deployment.
-
Ge0rG
MattJ did a survey among xmpp developers recently.
-
zinid
what survey?
-
winfried
zinid: it is hard to draw a line when something is still XMPP or not, many private deployments extend or bend the protocol in some way. But some of them may still provide nice usecases for XMPP. But it would be good to stay critical about. (And some would be better of if they kept in closer contact with the XSF)
-
winfried
Ge0rG: I saw it, I answered it myself too ;-)
-
winfried
Ge0rG: There may be different projects here: a survey, liason and whitepapers
-
Ge0rG
zinid: https://goo.gl/forms/L1AKnTLXjIAfP27W2
-
Ge0rG
Not sure where the results landed
-
MattJ
Ge0rG, Prosody community != XMPP developers...
-
MattJ
The results landed somewhere where Zash has been nagging me to process them (the survey isn't officially closed yet)
-
winfried
(will be AFK for a while) Ge0rG, zash, I will try a ECDSA and a RSA cert side by side later today
-
Ge0rG
winfried: I'm pretty sure it's not about the cert but about the allowed ciphers
-
Ge0rG
But then again, I'm not an expert
-
moparisthebest
that's correct but the ciphers you can use depend on your cert
-
moparisthebest
ECDHE-RSA-AES256-GCM-SHA384
-
moparisthebest
that can only be used with an RSA cert
-
winfried
I checked my configuration, it should allow RSA
-
winfried
(really gone now)
-
moparisthebest
ECDHE-ECDSA-AES256-GCM-SHA384
-
moparisthebest
that can only be used with an ECDSA cert
-
Ge0rG
But you can use ECDSA with an RSA cert?
-
moparisthebest
those are different things though
-
moparisthebest
gah I wish I knew the term, there is the certificate part, then the key exchange part, then the encription part
-
moparisthebest
also wish I could spell haha, encryption*
-
Ge0rG
LMC to the rescue!
-
zinid
> And some would be better of if they kept in closer contact with the XSF I'm not sure they are interested, they don't think in terms of the protocol, just like when you deploy an HTTP server you don't go in contact with the corresponding standards body
-
moparisthebest
don't think dino does that yet, or I don't know the spell to invoke it
-
MattJ
zinid, I tend to agree. I think XMPP is useful for many of them to bootstrap, but they don't necessarily need federation or interoperability
-
MattJ
Even if both those things would generally be considered good by most people here, they do come at a cost, so I see why they get dropped easily
-
MattJ
We should still make contact with though, I think having communication with them can be good, even if we fail
-
zinid
MattJ, they also choose a solution, among others, so this is nothing to do with the protocol. I just know how they think, we talked to them a lot, for example, with Belkin (former Linksys). BTW, they run 2M IoT devices on their cluster (just in case, it's not mentioned by the XSF iot cases page)
-
zinid
and solution typically means "how much money"
-
Ge0rG
zinid: is Belkin documented anywhere in the public?
-
zinid
Ge0rG, yes, but I'm not sure they want to reveal their capacity
-
zinid
https://fluux.io/clients
-
zinid
they only allowed us to mention them as a client
-
zinid
*a customer
-
Ge0rG
zinid: this is what I meant by "in the public"
-
zinid
what exactly? The fact that they use XMPP? Or their capacity?
-
zinid
although, it's hard to call that XMPP, they just send encapsulated JSON and use XMPP as a streaming transport only. We try to convince them to MQTT instead.
-
zinid
*to use MQTT
-
zinid
as MQTT requires far less resources, we can shrink cluster capacity twice or so
-
Ge0rG
zinid: the fact that they are using XMPP. That would be a good mention for the IoT page
-
zinid
well, it's up to you of course, but my view is that XMPP is something about federation, and this is where "the community" fails miserably, I think there are less than a million of users using federated XMPP
-
zinid
in the sense that the XSF spends so much time to produce federated protocols (the compliance suite is an example), but the largest user base is located at walled gardens of quasi XMPP
-
Ge0rG
zinid: I'm speaking of XMPP the protocol, not Jabber the IM network
-
zinid
well, I clarified what I mean
-
pep.
Re CABF, can XSF members not infiltrate it? :p What do you need to get in? money?
-
Zash
Be a browser or a CA I guess?
-
Ge0rG
pep.: excellent question. There was a discussion about xmpp srv-id already some years ago. But it seems to not have led anywhere
-
pep.
Ge0rG, yeah I remember that thread
-
pep.
Do we have a clear set of changes we want to bring to that document?
-
pep.
Then we'd need to invest time in politics a bit
-
Ge0rG
pep.: we should at least demand that SRV id are not forbidden in SAN
-
Ge0rG
I'm not sure what the state of art is in xmppAddr fields.
-
Ge0rG
It would be awesome if we could ask a public CA for a cert that only contains an srvId for an xmpp server. That would allow secure delegation of your xmpp to a service provider without letting them impersonate your webshits
-
Ge0rG
Not that web security was in a good shape.
-
pep.
I'd also like to be able to be able to set another Key Usage
-
pep.
(X509v3 Extended Key Usage)
-
Ge0rG
pep.: what exactly do you want to have there
-
pep.
_not_ Web
-
pep.
For a start
-
Ge0rG
pep.: https://github.com/letsencrypt/boulder/issues/1309
-
pep.
Yeah I know that issue
-
pep.
And we need to do something about it now, because LE is not going to
-
pep.
But it's not just about SRV id in SANs, it's also that Key Usage
-
pep.
i.e., s/TlS Web Server Authentication/TLS Server Authentication/
-
pep.
Or even s/Web/XMPP/
-
moparisthebest
Ge0rG, pep. , or we could push for DNSSEC + DANE ?
-
moparisthebest
that way you control what key is valid for what server+port via DNS
-
moparisthebest
seems better and more doable than getting CAs to do anything
-
Wiktor
moparisthebest, you can specify multiple certs in nginx since 1.11, it's desinged to be used in RSA+ECDSA scenarios, see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
-
Wiktor
note that even though Let's Encrypt will issue ECDSA cert it will be signed by their RSA intermediate cert, they don't (yet) have full ECDSA chain: https://letsencrypt.org/upcoming-features/
-
moparisthebest
ah thanks, I thought I remembered them adding support for that I just haven't gotten around to it yet
-
Wiktor
👍️
-
pep.
moparisthebest, that's orthogonal. Even though I agree we could focus our efforts on one thing, but then I'm not sure which one to do. I remember daniel having criticism against dnssec, or the deployment (middle boxes) in germany or sth, but I don't remember the details
-
Ge0rG
moparisthebest [19:57]: > Ge0rG, pep. , or we could push for DNSSEC + DANE ? I'm sure that 2019 will be the year of DNSSEC. Especially for the IM TLD
-
pep.
Yeah and that..
-
moparisthebest
all new domains since, idk, 2012 or something have DNSSEC support
-
pep.
not .im no✎ -
moparisthebest
I'd argue any domain having right now supports it, maybe it's time to abandon .im
-
pep.
not im. no ✏
-
moparisthebest
that's not a new one
-
pep.
Ah right my bad. Well in the meantime..
-
moparisthebest
oh, I missed a word haha
-
moparisthebest
I'd argue any domain worth having right now supports it, maybe it's time to abandon .im
-
pep.
I always verify the tld supports it before I buy anything fwiw
-
Ge0rG
It'll be another decade until all DNS servers support it.
-
moparisthebest
I still can't find the link I wanted but the gtld's, all the new fancy ones, must have DNSSEC support
-
moparisthebest
all DNS servers support it now? maybe you mean all TLDs ?
-
Ge0rG
Just this week I had a problem with Telekom DNS server returning ServFail for a non existent SRV record on a DNSSEC signed domain... after a 3s delay!
-
Ge0rG
moparisthebest: I'm speaking of resolvers out there in the wils✎ -
Ge0rG
moparisthebest: I'm speaking of resolvers out there in the wild ✏
-
Ge0rG
Some CPE routers still fail at SRV altogether
-
moparisthebest
those are already dead https://dnsflagday.net/
-
Ge0rG
On yax.im I've got 10-15% of non SRV clients
-
moparisthebest
I give it about another year before 99.9% of the DNS requests are via HTTPS anyway
-
moparisthebest
and all those support DNSSEC etc
-
!xsf_Martin
Please tell me when he’s done flooding with part/join, so I can take back my normal nick.
-
Ge0rG
yax.im: Serious problem detected! This domain will face issues after February 1st 2019!
-
pep.
!xsf_Martin, how are we supposed to see now? :p
-
pep.
xml_tab?
-
pep.
Not even, that wouldn't get to me
-
Link Mauve
Seems fixed.
-
Ge0rG
You need to see presence changes to understand the context, right?
-
pep.
indeed
-
pep.
Who do I need to ping again to appear in planet jabber? ralphm?
-
winfried
moparisthebest Ge0rG: to resolve the discussion: at Prosody, with an ECDHE certificate it accepts only incoming ECDHE connections, with an RSA certificate only RSA connections
-
Ge0rG
That's... unfortunate.
-
dwd
pep., ralphm, indeed. Maybe intosi can help, I don't know.
-
dwd
moparisthebest, I do hope we don't end up with DoH everywhere. The ramifications of that scare me badly.
-
moparisthebest
winfried, I mean that's not prosody specific, that's universal TLS (assuming you meant ECDSA instead of ECDHE)
-
moparisthebest
dwd, too late, I think it's the default on latest android?
-
moparisthebest
also enable-able in firefox
-
dwd
moparisthebest, All the DNS data going through Google, is it?
-
dwd
moparisthebest, And no doubt it's for our own good, of course.
-
moparisthebest
I would guess by default yes :'(
-
Ge0rG
Google and Clownflare
-
winfried
moparisthebest: I also assume it is universal, but I just tested it on prosody
-
Ge0rG
Using Google DNS is already a reality on my Samsung phone
-
moparisthebest
winfried, but did you try both?
-
dwd
winfried, OpenSSL, at least, can accept multiple cert/key pairs, and if given both it'll use whichever fits the ciphers requested.
-
winfried
moparisthebest: yes, I tried both
-
moparisthebest
I run my own though, which randomly picks from a list of upstream DNS servers, and proxies over tor, so I like dns-over-tls (and dns-over-https) sorry for shameless plug https://github.com/moparisthebest/jDnsProxy
-
winfried
winfried: 100% guarantee, the key I select, the cipher I get :-D
-
winfried
dwd: I know, but I am trying to get prosody talking both, no success so far.
-
winfried
diving into the debugging logs right now
-
winfried
Zash: I tried https://issues.prosody.im/809#comment-5 no luck, it picks only the ec certificate like that. I tried to verify I really got the right version of luasec (installed the dev version locally, ahead in the path of the regular/package manager one) but I am not 100% sure it picked the right one.