XSF Discussion - 2019-08-08

and set it to moderated

someone with power must create the muc on muc.xmpp.org

you can’t just join there and create it

One does not simply...

I once moved a room by setting it to moderated and sending invites to the new room on join. Plus a message explaining things.

(One of the very few Prosody modules I wrote.) :-)

So MattJ would you be so kind and use your power to create the MUC

yes, please :)

I can create it

yes please

don't forget to give it a good name :)

xdev?

x is moar cool than j 🙂

.oO( Sounds like the beginning of a discussion that can easily take several weeks ... )

yog-sothoth@

I gave it a great name: jdev

xdev +1 :(

Why not both, jxdev!

or xjdev

... dev@ would do the trick too, it’s already on muc.xmpp.org

This is not a democracy.

jonas’, true!

I hereby call for a member meeting to remove ralphm from Board</joking>

I would've suggested dev/devel/development as well, but there might be some value in sticking to the same name as the jdev@ mailing list.

Historical Reasons™

Or just sentimental value.

jonas’: there's this member election coming up, though, where I have to renew.

consistency is nice

Kev & jonas’: these.

Also Zash

Hello!

About OMEMO implementation.

When do I need to ask user if he trust the identity?

In save_identity or is_trusted_identity callback?

This sounds like a question for xmpp:jdev@muc.xmpp.org?join 🙂

Yagiza, neither

If signal asks is trusted, you return always true

you have to implement your own trust management on top

otherwise signal will not build sessions until user interacts with the client which would result in very bad UX

lovetox, so, I should always trust the identity, but notify user that identity cannot be trusted yet.

depends on what you want to do

What im saying is, you should circumvent signal trust management and always return True when signal lib asks you

that does not mean you Trust anything though

you have to add your own trust management on top of that

could mean you trust on first contact, (blind trust), could mean you always want a user interaction before a message is sent ..

whatever you think is in the security interests auf your users

0. Welcome + Agenda

Who do we have?

_o/

and hi

Hello

quorum

ola

MattJ: around?

Here

Wow, nice

CooL!

1. Minute taker

ok...

Thanks nyco

2. Compliance badges

yep, so

the poll has run

I can pack it and deliver it

What's the gist?

also I can share the form and sheet with board members

but

we raised the question whether we wanted or not to enlarge the audience to standards@

so... 1. stop 2. more ?

It depends, really. How many responses did you get and can we work with it?

I'm not opposed to extending the audience

I think it's kind of silly to, after all these weeks and various discussions / emails, go back _again_ to asking for input.

right

I prefer to take a decision.

We're trying to pick a nice image here - it's not a life/death decision. Let's try to come to a conclusion.

all right

Yes, we have been talking about this for a bit already

I'll send the results... to what list?

also, who wants to have it shared?

Have there been any responses from people saying they would definitely use them? I confess I haven't been keeping up to date, but I mostly/only(?) read negative comments

I'm ok with sharing a quantative summary, not individual comments.

these are anonymous

19 responses

ok, I'll send it to board@

next topic?

thanks

nyco: what

's the overal theme of the result?

our preferred badge

and predictions if it's gonna be used

You're not giving anything away, are you?

I gotta count

oh

Ok, moving on then.

spoiler warning: don't read what's next => opensourcedesign wins

spoiler warning: don't read what's next => people will use it

Yay

that's positive to very positive

:)

Let's then discuss it finally next week.

3. M-Sec

This card has been on our agenda for a while

If I recall correctly, this is the second email from the same project. I'm unsure if we handled the first one.

I responded to their initial request, and they send a reply, but I haven't followed up since.

And did a second email / invitation then arrive again out of the blue?

I think so

I remember thinking: "didn't they already reach out?"

We got a response from Charlotte Tucker on May 17.

Where they mentioned that they were primarily working on awareness, nothing in depth, yet

I found that response to be somewhat of a disappointment.

it didn't show any relation with XMPP, other than "you have a website and we'd like to use you to boost SEO"

Yes, indeed.

I was not sure how we could create those 'synergies' between us

(this is from memory, I might be off a tad, but that was what my impression was)

If there's potential for XMPP usage / evangelism, I'm interested in pursuing furher (that was my thought to the initial email)

Is this really a new e-mail? Because I haven't seen a repeat.

I didn't see anything related to XMPP last time. Do you know if they were using XMPP?

the second email made me question if it'd be in our interest to move further.

Guus: for me? no

to me it's disconnted

It is the same text?

I'm unsure if there was really a new e-mail. Might be my email client acting up

in any case, this got me wondering: "We understand KEIO, our M-Sec partner (in CC), is already engaged with you."

I'd be interested in finding out what our relation with KEIO is.

Same here

https://github.com/nkzwlab

Guus: I wrote this last time, so I think the answer is 'little':

Thanks for reaching out to the XMPP Standards Foundation. The M-Sec Project seems like a great effort and looks interesting. I am aware that people at KEIO University have been involved with the XMPP community previously. E.g. around Efficient XML Interchange (EXI), internationalization of XMPP servers, as well as sensor networks over XMPP. Can you briefly go into how you think the XMPP Standards Foundation (or the XMPP community in general) could contribute to this project? Are you looking at using XMPP as a communication platform for chat (use case 2), sensor networks (use case 1), or the IoT use cases? Are you seeking guidance on the usage of protocols or libraries, or collaboration on defining new or improving existing XMPP Extension Protocols?

Did we get a reply?

Yes:

At this initial stage (the first year of the project), we would be interested in a primary communications collaboration, in which we mutually cross-promote project activities and results (on social media, blogs, intermediary contacts, etc.). At this point, we are building up awareness of the project. We could spread your news in our communities and help you to continue being positioned as a thought-leader in this sphere. Do you currently use these platforms? - Social - Blog - Newsletter - Other platforms On our side, we are building social accounts, a blog and newsletter, as well as leveraging our partners' already well-established platforms. Then, we would be interested to discuss the ways to collaborate that you have mentioned in the coming months. We are working on defining the use cases and how they will be implemented in the smart cities of Santander and Fujisawa. Our partners in the M-Sec project would step into the conversation at this time.

ah, yes, this, apart from any lack of XMPP references, is what put me off from Charlotte's response: "Do you currently use these platforms?" To me, that's them putting in zero effort to finding out what we do. That does not bode well for future collaboration, in my view.

I have not responded to that one, unfortunately, but I don't feel my questions were actually answered.

Ahh, right

So until I see a different type of message, that doesn't sound like SEO, I think we do nothing.

In my view, we either do nothing, or give it one shot and express our concern that this looks like a buckshot attempt at SEO.

If you really feel the latter is needed, I could

I'm fine with the collaboration on social media and such, but it looks like it is just that :/ Would have been great if they could reply to your response, ralphm. I would see it as beneficial for us if they use XMPP, otherwise makes no sense we continue with it

I don't think it's needed - but if there's a chance that this might turn out beneficial for the XSF / XMPP, we might want to give it one last shot.

but I'm equally happy with just dropping it.

if they want to google-bomb "m-sec", they'll have to fight against "meter per second"... good luck... a name change would be better :)

hehe

Ok, I'll think about it for a bit. Moving on.

4. Roadmap

I'm back from vacation and will do this before next meeting.

5. AOB

?

None here

Any updates from the German effort?

Ge0rG ?

I'd love for that to take form / shape, as I think it could benefit XMPP.

Indeed

I think it hasn't been two months yet.

I assume Ge0rG will ping us when there's news.

Sure, but if we can proactively support Alex and him, I'd love for us to be ready for that.

Of course.

No news. Sorry.

but lets discuss that with him present.

ah

Ge0rG: so mostly waiting for now?

I'd still like to know from Board what we would expect from that collaboration.

ralphm: indeed.

Something we should have ready, I have to say. Just for when the time comes

We'll, I'm mostly interested in what kind of things they want to 'fix' and what kind of regulation would help achieve this.

ralphm: I suppose the goal is to enforce federation between IM networks, while preserving E2EE and user security and privacy.

I mean, of course I'd love the whole world to use XMPP for all messaging, as people use SMTP for e-mail, but that seems a bridge too far for now.

I'm not expecting specifics, but I'd love for a result a la XMPP becoming the standard to be used by inter-governmental-agency communications.

Right. I'm not even sure if that stated goal is actually achievable.

indeed, mandating open standards for government IM needs, or even for all IM systems, would essentially mean XMPP

But even if it is, what kind of 'features' are included in there? Just plain-text messages? Groups? Media?

let that be part of the to-be-had discussion with them.

let's first see if they're interested in moving towards something like this.

So yeah, I'd like to participate asking such questions.

Ge0rG: does that help at all?

ralphm: a bit indeed. However I'm not sure how we can arrange such a discussion.

This won't work easily if I'm a proxy.

if not a mandated solution, then at the very least recognision that XMPP is a good way to solve privacy / security IM issues within certain fields might be a nice outcome.

In that case, we(the XSF) should rather prepare a list of questions and a list of demands/requirements

And I can bring that in

Ge0rG: after their response, I suppose?

Ge0rG - what are your own thoughts here?

as you've brought it up in the first place, you must have some sort of desired end-result?

ralphm: I'd like to get one step ahead of them

I also need to separate my own desires from the official XSF voice.

Which are?

sure, but maybe they overlap, at least partially 😃

I'd like to have a law mandating that IM systems over a certain size must expose an API/federation mechanism based on open standards.

Ge0rG: I feel anyone here can express their desires, and then we come up with a rough consensus.

The representative was very interested in E2EE, and I fear OMEMO won't cut it.

So maybe we need to have some kind of MLS based proposal

Ge0rG: do you mean public services?

Ge0rG: do business-oriented platforms like Slack count?

MLS?

Guus: Standardised E2E.

https://datatracker.ietf.org/wg/mls/about/

ralphm: that's an excellent question

Ge0rG, https://datatracker.ietf.org/wg/mls/about/

If there's interest in E2EE, and there's an observed lack of that in XMPP, then maybe an outcome could be grants to work on improving that.

it was for Guus and also late... :) Thanks Kev

ralphm: I'd say that all commercial providers should have to do that.

has the gavel been banged?

nyco: not yet

Ge0rG maybe we should start to create some sort of document to capture motives like these

ralphm: there might be a set of useful objective criteria when to require support for federation

Yeah, I have to prep for a meeting starting in 10

Guus: did you say "wiki"?

maybe something less public

Does that matter? Do we expect to get gamed by Facebook?

I'd hate to see ideas that we're not going to pitch in the end, find their way to people that we didn't want to pitch those ideas too.

Guus: alright. Can you arrange for something?

Should we find the way to work on this via email instead (so we can free the Board members)

Seve: some kind of etherpad maybe, communicated via email to Board + X(?)

something like that would work for me

People said they needed to go though.

maybe wrap this up?

Sure, or just a mailing list might suffice.

Sure

Some politicians in Germany seem eager to get some form of regulation going. So the question is not 'is regulation a good thing' but instead can we help them to at least make this less idiotic

Wrapping up.

Ge0rG, yes

6. Date of Next

+1W

7. Close

Thanks all!

Daniel +!

thx

Perfect, thank you guys :)

I'm unsure if I can make it next week.

Thanks guys!

Also if they are going to regulate anyway I'd rather have them use xmpp than for example wire or matrix

Daniel: understood. Elections coming up?

MattJ - could you arrange for a private mailing list for this to be set up, with your iteam hat on?

I'd prefer an etherpad actually.

ralphm: not really.

We want to make a document after all

Ge0rG fine, etherpad it is - I've never created/used one of those though

Thanks nyco - seems like a clear outcome to me.

let's discuss next week how to proceed. I'd love to quickly engage the author and see if he's interested in completing these designs.

nyco: where did you send it to?

Ah, to board@. What a pity.

jonas’ would you mind trying to crawl igniterealtime.org again? DH key size should be better now.

Guus, it runs into a timeout now, it appears my prosody isn’t getting a reply after it sent the stream header after STARTTLS

jonas’: that's odd. I've retreated away from the laptop, will investigate later

Thanks for trying

you’re welcome

Guus, FYI debug logs from my side https://paste.debian.net/hidden/fdf8e8df/

I noticed buffer sizing issues before, maybe that's what's going on here

thinking about introducing a "critical" (= you need to understand this element, otherwise reply with feature-not-implemented) attribute in XMPP, it’s not that easy actually.

for example, one can have content which is critical for a client to understand, but not for the servers (even possibly MUC servers, so the @to addressed entity) to understand, for example, a mandatory read receipt

and then, one could imagine a thing which would need to be understood by a smart archive (for example, reactions), too

or stuff which needs to be only understood by forwarding servers (i.e. both users servers), like extended addressing for server-side carbon-copying or something

You just need to invent a feature to advertise understanding of "critical" and mark it itself as critical `<feature var='critical' xmlns:critical='urn:xmpp:critical:sqrt(-1)' critical:critical='critical'/>`

you could’ve just written urn:xmpp:critical:i ;P

You forgot to make it ALL UPPERCASE

Ge0rG, Kev, Seve is anyone in our community involved in MLS?

I'm not, but I'd like to if I find the time

ralphm, I think Dave participated in the earlier times on the mailing list

I'm happy for the security mob to do their thing, but eventually we should probably have an XMPP proposal to use it.

Yes

Unsure when would be a good time to get involved, whether XMPP has particular properties that need to be taken into account.

But I guess dwd might have a better idea on this.