XSF Discussion - 2019-02-28

Nice, the XSF got selected for GSoC :)

Yes!

\o/!

\o/

seems like xep-0214 depends on deprecated xep-0137. Probably it has to be updated or deprecated too.

we were just thinking on support@j.ru how to make file storage management for http upload.

vanitasvitae: is there a list of topics?

rion, there is also XEP-0329, which depends on XEP-0234 instead.

Those two are part of my list of deferred XEPs to look at and either revive or deprecate, but there was some opposition to deprecating a deferred XEP recently.

Xep 214 is a bad idea that will end in pubsubfs, not that we're looking into

Link Mauve: 329 looks good to me, thanks. and it can be combined with http jingle transport.

Yup.

I think goffi has another implementation of it.

He demo’d it at the Summit.

Andrew Nenakhov, being able to subscribe to a node mapping to a directory sounds useful though.

The 0329 can’t be used for a dropbox-like, or even any notification.

Wiktor: in the xmpp wiki

vanitasvitae: kthx

indeed I have an implementation of XEP-0329, I'm pretty happy with it.

I've made a quick evaluation of various options, I've chosen this one because it's working and simple.

Link Mauve: while it can't be used for dropbox like?

s/while/why/

goffi, how do you subscribe to files being added or removed or changed?

Link Mauve: is this needed for dropbrox like?

(note that I've never used dropbox)

goffi, Dropbox is a software you install on your computer, which provides you a fuse(-like?) interface to mount a remote directory.

Then when anyone puts files there, they will be downloaded on your computer.

Or something like that.

I haven’t used it either, but I’ve heard people talk about it.

It lets the cloud put files on your computer. Probably.

I think the closest FLOSS thing is Sparkleshare

or Seafile

so if you want to check out the UX, go to those projects

although sparkleshare in particular was pretty bad when I tested it the last time

hi

Hello

jonas’, yes, it is.

Also unmaintained.

Link Mauve: to looks for files on a server (my current use case), XEP-0329 is enough and working well. To subscribe to a directory or a file it would need to be extended, but I think it can be done quite cleanly with references.

Seve ralphm MattJ shall we meet?

goffi, XEP-0214 did that already.

yes, but it's overcomplicated in my opinion

to all, my apologies for last week, as I did not join, and did not tell...

I think you did?

or was that the week before? I was not here last week myself.

anyways. you are forgiven. 🙂

... did these guys find another place to meet while we were gone?

Hey

ola!

Hi! My bad

Sorry, had a delivery arrive just as the meeting began :)

Just missing ralphm?

That's generally when delivery guys show up at my door too. Mostly for neighbors, too.

yes

a softer way of swatting?

perhaps 🙂

https://trello.com/b/Dn6IQOu0/board-meetings

BANG

Minute taker, who are you today?

so we have Seve, Matt, Guus, and me, only Ralph is missing

we have 2 topics for decision: * E2E CA req * membership application commitment: * typo in deferred XEP discussion: * money, money, money * reach out high profile users * badge designer

let's start ?

1. E2E

file:///Users/nyco/code/converse.js/fullscreen.html

oops

https://trello.com/c/JIVSMPah/336-e2e-authentication-in-xmpp-ca-requirements

<you know my client now>

are you typing a lot in one message, or do I have delays?

maybe the weather

that's possible 🙂

wifi is acting up 🙂

I must admit I've not yet taken the time to study the E2E protoxep

so I have no clue of this item, too tech for me, I hand over to <who>?

Yeah, I need more time to review it

so what's neede here?

so what's needed here?

It seems two-prone, at least.

If this is the CA part of the recently rejected XOR proto-XEP, it's about the XSF running a CA

so what's needed from the Board here?

oh ok

I'm assuming that this is brought before board, because it defines XSF-organisational requirements?

there is a separate ProtoXEP for that

Ge0rG, it has been accepted, hasn’t it?

https://xmpp.org/extensions/inbox/eax-car.html

In our trello boad, this is linked: https://xmpp.org/extensions/inbox/eax-car.html

ha!

https://xmpp.org/extensions/inbox/eax.html https://xmpp.org/extensions/inbox/eax-car.html

now we have it linked thrice

The stated requirements for the XSF seem trivial enough as specified, but I'm not sure what the wider context is here

the eax.html is Standards Track and has been handled by Board

but it’s useful context

more context is in xor.html

What root CAs are we supposed to redirect to? Is there some vetting to be done? etc. - I need to read it more

Same here as the rest

and why isn't relying on normal trust anchors enough? E.g. Mozilla's

are we able to do this?

Also - this introduces the XSF as a single source of truth

So let's punt on this for the moment, understand it more and discuss next week

which somehwat clashes with doing things distributed/federated - unsure if that can be helped here (I must read more, as a wise man just said), but it's bound to raise brows.

MattJ: normal CAs are forbidden to issue non-web certificates, essentially, by CA/Browser Forum rules

(which is something the XSF Board might well be able to address, in a proper formal inquiry to the CABF)

if there is a CA, there are many ICA ?

which is more decentralised, still as a pyramid

kind of like how DNSSEC works

Ge0rG is that an alternative approach than the one suggested in the XEP?

a blockain-based CA? wait no

Guus: no, it's completely orthogonal. I haven't had the time to read _this_ incarnation of the XEP either

Ge0rG ok thanks

I think there are too many questions on this one :)

as MattJ suggested, lets kick this can down the road for a week.

+1

(and do some reading)

2. XEP-0345 (Form of Membership Applications)

card without description, what's needed from the board?

https://xmpp.org/extensions/xep-0345.html

Who added it?

approval.

nyco: it's a procedural XEP that needs to be decided upon

ok

So Board shoul decide whether it shall be accepted or not.

so I feel like emil, jid, affiliations and name are not enough can we add things like values, objectives, past contributions?

I only now see that there was feedback in the Last Call

nyco, I think that's up to the candidate to add as much as they want to share to be accepted

I would have wanted that to be a discussion topic maybe? And then decide something about it.

I don't think we need to make those things mandatory in a formal document

mandatory no, but as an option

rather a suggestion

MattJ didn't you raise an example of someone having 'valid' reasons for wanting to apply anonymously?

although we shot down applying anonymously before, your example might warrant to re-address that

Possibly so

I think you were going to see if said person would be willing to provide details?

Do you recall who I'm talking of? You weren't specific.

There is a slight difference between being an anonymous member and having your details being known only to the Secretary

If that's still ongoing, I'd like to have that information before voting on XEP-0345.

Yes, I recall the conversation, I need to follow up

I've recently brought up the anonymity question, and by now told the respective user that it's not an option.

did you also tell them that contributing to standards etc. is very much possible without being a member?

Ge0rG, iirc that was before the summit, where we had some in-person discussions about how we may improve the process

Ge0rG which is what we decided on.

The decision still holds

We /may/ be able to change the way we do things, and we /may/ decide to do that

and that may or may not be enough for these people who want to remain anonymous

(what he said - my choice of words was poor)

But you SHOULD document the current status quo in some way. And XEP-0345 is a good place

Agreed - I'd still like to review the feedback from the Last Call before I vote. I neglected doing that.

Same

ok next item?

3. typo in deferred XEP

https://trello.com/c/U3OJ4sQx/328-clarify-what-happens-when-a-typo-or-equivalent-is-fixed-in-a-deferred-xep

I think we have a fix for that, and this trello card was only left for tracking that that fix got applied?

jonas’ - do you recall the details?

It was decided upon in January

"In today's board meeting, Board agrees wiath Jonas' suggested change, and ask the Editor to draft a proposal for the change in XEP-0001."

Guus, yes... I should make a Pr

buuuuuut .... -EBUSY

sure, no problem

looks weird to un-defer to re-defer later, can't we just let edition of deferred XEP, at least for archival purposes and probable later revival ?

just trying to recall if there's something for us to do here 🙂

nyco we already voted on this - do you really want to re-open the issue?

I have a question for you about that jonas’, would be possible to specify the equivalent? For instance I would like to update my contact information on a XEP, so I guess that falls into equivalent as well, but would be nice to have this specified

Seve, sorry, -ENOCTX

nope, I'm fine, can't recall, sorry, was it a meeting I missed?

(yeah, you need to be slightly less nerdy for me to follow here 😛 )

4. Money

https://trello.com/c/1yN2GL4q/296-fundraising-and-financing

Seve, I guess we can consider that when the PR is submitted

I think this boils down to a) there's general consensus that the XSF could use more money to 'do things' that stimulate XMPP, and b) we need to find sources of income.

i.e. make sure the wording encompasses those kinds of changes

Guus, right

we've previously established that from a finanicial point of view, the XSF is in good shape - but does not have much reserves to significantly spend on things

Maybe it's time to bury this card, and recreate one that says 'get sponsors' (which actually is hopefully a byproduct of the next card )

I'd say it's more of a continuous effort...

unless there's other topics related to 'fundraising and financing' that board wants to discuss

Guus, that sounds like good progress

5. Define strategy to reach out to (and reap benefits) high profile XMPP applications/users.

https://trello.com/c/dGy6D0yl/334-define-strategy-to-reach-out-to-and-reap-benefits-high-profile-xmpp-applications-users

for various reasons, I feel that we should get in touch with high-profile XMPP applicators

slightly related to this, Winfried wrote in his application <https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019> that he wanted to reach out to interesting XMPP deployments

1) they act as awesome showcases - which can be good for marketing

2) we can likely learn a lot from each-other - they can benefit from our resources, we can benefit from their expertise

3) some of these might be sponsor candidatesd

Guus: it would be great to appriach the companies behind https://xmpp.org/uses/gaming and also to finish https://github.com/xsf/xmpp.org/issues/490

Ge0rG yes.

As we do not have an executive director anymore (who I'd think would be perfect for the reaching out), I think that it falls on board to figure out how to approach this.

which I suggests boils down to: "who do we contact?" and "what message do we want to convey?"

I have very little experience here, so I'm looking for input.

Guus: also it's good to clarify who is "we"

our approach could be bottom-up, to start with, that is: we collect those data from member willing to share

Ge0rG to clarify, with 'we' I mean 'the XSF'

I don't see any other 'we' here

nyco what 'data' do you mean exactly?

use cases, verticals, numbers, values, benefits

Guus: 'we' should be a volunteering person or maybe a small working team. SCAM or commteam might be a good fit.

Guus, I think something winfried and I were discussing in Brussels... many of the people involved in the XSF are involved with various XMPP projects that don't necessarily get the exposure they deserve

I'm sure some of them don't want to, but I'm also sure some of them do

Winfried might be a good candidate if he happens to have time.

I planned to ask him, but his server was down

I'm hearing the name "Winfried" a lot, so it makes sense to at least ask him if he is interested in taking point on this.

but I do wonder if the reaching-out bit should be done by an officer.

Guus: according to his own words from four weeks ago, he is

as it's the beginning of potentially formal relationship?

When I applied for board I mentioned I would like to see what can we do about making companies advertise they use XMPP like they would do using any kind of framework or language for example, but I have no experience on this topic. But I don't think just a single person can manage all of this. From my point of view we should gather together like we do on this meetings and start bit by bit discussing how, what, etc.

From https://wiki.xmpp.org/web/Winfried_Tilanus_Application_2019 - > I want to do more of those: go out there and interview the people behind interesting XMPP deployments and publish about them.

if we want exposure, we can do interviews 5 to 10 questions, always the same, send them to a project/product leader (dev, product, marketing, CEO, whatever), put them in shape, do a blog post, automatically post to Twitter (and more, if possible)

Guus, my point is that many of us are already working with the people we're discussing

and that's our easiest way into such users of XMPP

rather than starting cold with high-profile users we've got no current routes into

Seve this is an itch I also would like to scratch

nyco, that's in my todo list, I wanted to reach to companies and do that kind of interviewing, so it is fair for everybody

But we need to talk a bit on what to ask, and so on

Many things at the same time: Ge0rG: good! nyco: that would be awesome, but I like to have more: not just an article, but active involvement. MattJ also, that's a good start, but I also want to find _new_ organisations.

I'm following you Seve

Guus, you think the XSF knows all the current ones?

Guus article vs article involvment

nyco: much more than articles! I'd like them to eventually become members 🙂

but they're all good starts

Guus MattJ yes, hidden uses of XMPP are everywhere

MattJ no, definately not - and what you propose might be a good start.

This topic might warrant a meeting on its own

(also, we're running out of time - and I need to divert my attention soon)

Several even :D

Seve I already interviewed one and am in the process of finishing it, good to ream up

winfried! \o/

Guus oh yeah, definitely, members rock though, I felt that many orgs follow the XSF, but do not wish to contribute/participate, for various reasons: not time, shyness, intimidating, too/only technical

Can we wrap up for today?

nyco, also I've encountered some that didn't want their use of XMPP to be public knowledge

hey, we have passed the 16:00 mark, we should adjourn this meeting, who against that?

+1

MattJ, interesting

Next ? +1W as usual ?

wfm

I'm fine with +1w

BANG

Sure +1

Thanks everybody! 😉

Thanks nyco and all :)

Very nice to meet with you all!

Ge0rG curious, what was the topic?

I like to be prepared for next time 🙂

Guus: it's related to the Jabber trademark.

your license was arranged, right?

so, different issue?

Guus: right

kk

"looking forward to it"

😉

:)

so XEP-CAR is postponed?

*EAX-CAR

Ge0rG: time to do some SSL debugging?

winfried: do you mind running your domain through xmpp.net?

don't mind :-D

zinid, yes, until next week

tl;dr? 😀

Just so everyone can get a better understanding of what the responsibilities are

well, I'm just asking to run the url redirection, it's an experimental anyway

Good to know

but of course I can just copy that CA/B Forum's insane requirements to the XEP so *nobody* will able to read it

Can you give an example of an entity the redirect might go to?

MattJ, we're going to start the CA at process-one, that will be the first URL for redirection

or... just maybe wait until I've read the other XEP, I'll probably understand more then :)

Ok

jonas’, Link Mauve: I'd say closest floss thing to Dropbox would be nextcloud or syncthing , I probably wouldn't want my xmpp client trying to reinvent that wheel...

moparisthebest, does that mean you want it to be impossible to implement such a service?

It doesn’t have to be your client.

no of course not

What advantages does using XMPP have here?

just, to me, seems totally unsuited for XMPP

Ge0rG: https://xmpp.net/result.php?id=1452651 :-D

winfried: so you only accept ECDSA and I reject ECDSA

Ge0rG: Got already a smelling suspicion....

winfried: https://xmpp.net/result.php?domain=yax.im&type=server#ciphers

winfried: is there a particular reason for ECDSA?

zinid can you share a link to the insane CA/B Forums requirements? 🙂

MattJ, for incident resolution we can just borrow formal rules developed by CA/B Forum, but I don't want to copy the whole requirements of CA/B Forum, they are too complex and this will prevent some OSS community to run any CA at all except a few companies with money

Guus: https://cabforum.org/baseline-requirements-documents/

tx

moparisthebest, getting notifications about things, and being able to manage things you already uploaded in some form over XMPP, doesn’t sound that unsuited to me.

In the recent years, a lot of clients have started uploading files to their server for instance.

Guus, achtung, the document is very TL;DR 😀

It would be useful to have a way to manage that, instead of an upload once, regret forever kind of thing.

only to share links, synchronizing directory trees across computers is an entirely different ballgame

XMPP is absolutely suited for that, and I'm already on the way of doing something similar. XMPP brings its ecosystem (accounts, permissions, notifications, etc.)

And that.

zinid aren't they always? 🙂

Guus, yeah, CA is hard

Ge0rG: must have been, but I don't remember anymore... ;-) I guess I may relax my ciphers a bit.

winfried: you could use the recommendations from https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

winfried, it doesn't look like cipher selection as much as you got an ecdsa key+certificate and not an RSA one ?

you can get a pure ecdsa cert from public CAs?

Ge0rG, yes

Let's Encrypt may issue pure ECC cert

and it won't do RSA based DH?

Ge0rG, no, ejabberd's ACME only supports ECC so far and LE doesn't complain

zinid: so I won't be able to talk to any of the ejabberd self-ACMEd servers if I forbid ECDSA?

Ge0rG, yes, but that's a bug of ejabberd of course

why are you even promoting that footgun?

I promote?

that was GSoC, and as any GSoC it sucks

ECDSA is the most profoundly misdesigned crypto algorithm of the last decade or so

ah, you mean DSA?

sorry, I'm lost in terms

I thought you meant pure ECC cert (or how it's correctly called, i.e. not RSA)

zinid: I'm speaking of the ECC based algorithms that are part of TLS

okay, then I don't know what you mean, I'm clueless

Ge0rG, looks like you support all the ECDHE* algorithms and even prefer them though

that's a different issue than ECDSA vs RSA certificates

Okay, so I'm probably too stupid to follow my own advice.

also TLS 1.3 called and said it ONLY supports ECDHE algorithms so, keep that in mind :)

ECDHE is something that only works with ECC certs, right?

no

😀

entirely seperate, things

okay

for ECDSA vs RSA certificates, it's on my list of things to investigate, I *think* new nginx supports having both

I'm *guessing* no XMPP server currently does

wtf is ECDSA certificate?

which is based on ECC private key or what?

moparisthebest: You can probably configure Prosody with that now, if you have bleeding edge LuaSec

Zash: interesting challenge :-)

I think I'll try nginx first :P

according to wikipedia it seems like ECDSA cert is indeed a ECC cert

moparisthebest, haproxy supports the combo for sure

and we have some feature requests to support that in ejabberd

but only useable with xep-0368 I'm guessing?

if you use front-end like haproxy? yes

moparisthebes, winfried: https://issues.prosody.im/809#comment-5

awesome, maybe I will try that first then, thanks Zash

Zash moparisthebest checking right now with my SSL-supplier if I can get a second certificate....

winfried: unfortunately my testssl is going very slow.

winfried: is the cert the same as on your https://?

winfried, not using letsencrypt?

Ge0rG: same as https://tilanus.com/ not the same as https://www.tilanus.com/

winfried: one is a redirect to the other :>

Ge0rG: / yes

winfried: anyway, I wanted to ping you regarding your promise in the Membership application. Can do that in public as well

Ge0rG: :-D

winfried: it would be awesome if somebody could follow-up on https://github.com/xsf/xmpp.org/issues/490 and to contact the different teams behind the https://xmpp.org/uses/gaming items

Ge0rG: do you know if anybody has contacts to one of those groups?

Riot Games used to be our customer

winfried: when I was collecting the links for the gaming section, I tried to find the most authoritative ones. If they don't list contacts, I don't have anything better unfortunately.

not sure how that promotes XMPP though, as the majority of them use highly customized XMPP servers

except maybe EVE online

for the record, EVE Online maintains their ejabberd branch at github

last time I checked they had very few changes from mainline

zinid: is it wrong to run heavily patched servers?

Ge0rG: I would like to avoid making cold calls/doing research to find the right people, but I will be able to do so if needed...

Ge0rG, well, heavily patched means they patch the parts related to XMPP protocol, so basically they are not XMPP compliant

like WhatsApp for example

it's hard to call them XMPP

zinid: I call WhatsApp XMPP inspired, not an XMPP deployment...

winfried, we can call almost all of them this way

they start from XMPP and then diverge drastically

dropping all the bloat of XMPP

winfried: I can understand that, yeah. But I don't know what would be a better way. Write a post on xmpp.org saying "Dear large scale deployments, please contact us for cross promotion"?

Ge0rG: yes, would be a nice way, also good to point to if I am making a cold call...

winfried: this directly plugs into today's Board discussion, have a list of questions about the deployment.

MattJ did a survey among xmpp developers recently.

what survey?

zinid: it is hard to draw a line when something is still XMPP or not, many private deployments extend or bend the protocol in some way. But some of them may still provide nice usecases for XMPP. But it would be good to stay critical about. (And some would be better of if they kept in closer contact with the XSF)

Ge0rG: I saw it, I answered it myself too ;-)

Ge0rG: There may be different projects here: a survey, liason and whitepapers

zinid: https://goo.gl/forms/L1AKnTLXjIAfP27W2

Not sure where the results landed

Ge0rG, Prosody community != XMPP developers...

The results landed somewhere where Zash has been nagging me to process them (the survey isn't officially closed yet)

(will be AFK for a while) Ge0rG, zash, I will try a ECDSA and a RSA cert side by side later today

winfried: I'm pretty sure it's not about the cert but about the allowed ciphers

But then again, I'm not an expert

that's correct but the ciphers you can use depend on your cert

ECDHE-RSA-AES256-GCM-SHA384

that can only be used with an RSA cert

I checked my configuration, it should allow RSA

(really gone now)

ECDHE-ECDSA-AES256-GCM-SHA384

that can only be used with an ECDSA cert

But you can use ECDSA with an RSA cert?

those are different things though

gah I wish I knew the term, there is the certificate part, then the key exchange part, then the encription part

also wish I could spell haha, encryption*

LMC to the rescue!

> And some would be better of if they kept in closer contact with the XSF I'm not sure they are interested, they don't think in terms of the protocol, just like when you deploy an HTTP server you don't go in contact with the corresponding standards body

don't think dino does that yet, or I don't know the spell to invoke it

zinid, I tend to agree. I think XMPP is useful for many of them to bootstrap, but they don't necessarily need federation or interoperability

Even if both those things would generally be considered good by most people here, they do come at a cost, so I see why they get dropped easily

We should still make contact with though, I think having communication with them can be good, even if we fail

MattJ, they also choose a solution, among others, so this is nothing to do with the protocol. I just know how they think, we talked to them a lot, for example, with Belkin (former Linksys). BTW, they run 2M IoT devices on their cluster (just in case, it's not mentioned by the XSF iot cases page)

and solution typically means "how much money"

zinid: is Belkin documented anywhere in the public?

Ge0rG, yes, but I'm not sure they want to reveal their capacity

https://fluux.io/clients

they only allowed us to mention them as a client

*a customer

zinid: this is what I meant by "in the public"

what exactly? The fact that they use XMPP? Or their capacity?

although, it's hard to call that XMPP, they just send encapsulated JSON and use XMPP as a streaming transport only. We try to convince them to MQTT instead.

*to use MQTT

as MQTT requires far less resources, we can shrink cluster capacity twice or so

zinid: the fact that they are using XMPP. That would be a good mention for the IoT page

well, it's up to you of course, but my view is that XMPP is something about federation, and this is where "the community" fails miserably, I think there are less than a million of users using federated XMPP

in the sense that the XSF spends so much time to produce federated protocols (the compliance suite is an example), but the largest user base is located at walled gardens of quasi XMPP

zinid: I'm speaking of XMPP the protocol, not Jabber the IM network

well, I clarified what I mean

Re CABF, can XSF members not infiltrate it? :p What do you need to get in? money?

Be a browser or a CA I guess?

pep.: excellent question. There was a discussion about xmpp srv-id already some years ago. But it seems to not have led anywhere

Ge0rG, yeah I remember that thread

Do we have a clear set of changes we want to bring to that document?

Then we'd need to invest time in politics a bit

pep.: we should at least demand that SRV id are not forbidden in SAN

I'm not sure what the state of art is in xmppAddr fields.

It would be awesome if we could ask a public CA for a cert that only contains an srvId for an xmpp server. That would allow secure delegation of your xmpp to a service provider without letting them impersonate your webshits

Not that web security was in a good shape.

I'd also like to be able to be able to set another Key Usage

(X509v3 Extended Key Usage)

pep.: what exactly do you want to have there

_not_ Web

For a start

pep.: https://github.com/letsencrypt/boulder/issues/1309

Yeah I know that issue

And we need to do something about it now, because LE is not going to

But it's not just about SRV id in SANs, it's also that Key Usage

i.e., s/TlS Web Server Authentication/TLS Server Authentication/

Or even s/Web/XMPP/

Ge0rG, pep. , or we could push for DNSSEC + DANE ?

that way you control what key is valid for what server+port via DNS

seems better and more doable than getting CAs to do anything

moparisthebest, you can specify multiple certs in nginx since 1.11, it's desinged to be used in RSA+ECDSA scenarios, see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

note that even though Let's Encrypt will issue ECDSA cert it will be signed by their RSA intermediate cert, they don't (yet) have full ECDSA chain: https://letsencrypt.org/upcoming-features/

ah thanks, I thought I remembered them adding support for that I just haven't gotten around to it yet

👍️

moparisthebest, that's orthogonal. Even though I agree we could focus our efforts on one thing, but then I'm not sure which one to do. I remember daniel having criticism against dnssec, or the deployment (middle boxes) in germany or sth, but I don't remember the details

moparisthebest [19:57]: > Ge0rG, pep. , or we could push for DNSSEC + DANE ? I'm sure that 2019 will be the year of DNSSEC. Especially for the IM TLD

Yeah and that..

all new domains since, idk, 2012 or something have DNSSEC support

I'd argue any domain having right now supports it, maybe it's time to abandon .im

not im. no ✏

that's not a new one

Ah right my bad. Well in the meantime..

oh, I missed a word haha

I'd argue any domain worth having right now supports it, maybe it's time to abandon .im

I always verify the tld supports it before I buy anything fwiw

It'll be another decade until all DNS servers support it.

I still can't find the link I wanted but the gtld's, all the new fancy ones, must have DNSSEC support

all DNS servers support it now? maybe you mean all TLDs ?

Just this week I had a problem with Telekom DNS server returning ServFail for a non existent SRV record on a DNSSEC signed domain... after a 3s delay!

moparisthebest: I'm speaking of resolvers out there in the wild ✏

Some CPE routers still fail at SRV altogether

those are already dead https://dnsflagday.net/

On yax.im I've got 10-15% of non SRV clients

I give it about another year before 99.9% of the DNS requests are via HTTPS anyway

and all those support DNSSEC etc

Please tell me when he’s done flooding with part/join, so I can take back my normal nick.

yax.im: Serious problem detected! This domain will face issues after February 1st 2019!

!xsf_Martin, how are we supposed to see now? :p

xml_tab?

Not even, that wouldn't get to me

Seems fixed.

You need to see presence changes to understand the context, right?

indeed

Who do I need to ping again to appear in planet jabber? ralphm?

moparisthebest Ge0rG: to resolve the discussion: at Prosody, with an ECDHE certificate it accepts only incoming ECDHE connections, with an RSA certificate only RSA connections

That's... unfortunate.

pep., ralphm, indeed. Maybe intosi can help, I don't know.

moparisthebest, I do hope we don't end up with DoH everywhere. The ramifications of that scare me badly.

winfried, I mean that's not prosody specific, that's universal TLS (assuming you meant ECDSA instead of ECDHE)

dwd, too late, I think it's the default on latest android?

also enable-able in firefox

moparisthebest, All the DNS data going through Google, is it?

moparisthebest, And no doubt it's for our own good, of course.

I would guess by default yes :'(

Google and Clownflare

moparisthebest: I also assume it is universal, but I just tested it on prosody

Using Google DNS is already a reality on my Samsung phone

winfried, but did you try both?

winfried, OpenSSL, at least, can accept multiple cert/key pairs, and if given both it'll use whichever fits the ciphers requested.

moparisthebest: yes, I tried both

I run my own though, which randomly picks from a list of upstream DNS servers, and proxies over tor, so I like dns-over-tls (and dns-over-https) sorry for shameless plug https://github.com/moparisthebest/jDnsProxy

winfried: 100% guarantee, the key I select, the cipher I get :-D

dwd: I know, but I am trying to get prosody talking both, no success so far.

diving into the debugging logs right now

Zash: I tried https://issues.prosody.im/809#comment-5 no luck, it picks only the ec certificate like that. I tried to verify I really got the right version of luasec (installed the dev version locally, ahead in the path of the regular/package manager one) but I am not 100% sure it picked the right one.