XSF Discussion - 2019-09-21

MattJ, May I suggest to remove the "Servers MUST NOT include the <stanza-id/> element in messages addressed to JIDs that do not have permissions to access the archive" from xep313. It appears to provide very little, I'd even say nothing because the id-String shouldn't reveal anything, for a lot of complexity in the MAM archive service implementation

it does reveal something

on ejabberd for example the exact timestamp of the message

I think it would have to be tied with a requirement that ids do not leak any info

yeah and this would be bad

I'm not sure timestamp counts as a problem

But if it was combined with a counter it would

And timestamps are not unique on their own

lovetox, well that would violate a MUST frmo xep359

also I am not sure if timestamps are a problem

its very useful that ejabberd uses timestamps as ids ✏

as it allows to determine a order

even if impl cannot rely on it because other servers dont do that

Tell me you don't depend on that :)

furthermore, we could at least relax the requirement in xep313, e.g. by making it conditional

of course i dont, as not all servers do that

when i remember correctly the only argument against a orderable id was

clusters may be more complex to implement that

but I would simply remove that requirement from xep313, which also would make the xep less complex, which is always good

> MattJ> I think it would have to be tied with a requirement that ids do not leak any info Isn't that the case already?

For 0359 stuff

Hmm, it says "unique and stable" and recommends UUID..

I think that's good enough

i see xep 0398 is under specified

it says "Upon receiving a vCard publication request with a valid photo attached"

so no photo element is invalid in this case?

means every client out there now has to publish empty photo elements in there vcard for avatar conversion to work?

is this intended? why not just interpret no photoelement as <photo/>

or did the XEP author foget about the "Delete a photo" usecase

and this sentence reflects only setting a avatar other than none

^ Daniel

yes the XEP doesn’t cover deletion

yet

pep., see also the security section of xep359

Right, so that's settled then

MattJ, xep359 already has that requirement that IDs do not leak inve, hence i was supprised to find that section in xep313

pep.: "unique and stable" is not enough

We've already seen security issues from far simpler and more obvious problems, it's not enough to say that a sentence in a separate document covers us

MattJ, see what was said above

0359 mandates more than that

- the IDs defined in this extension MUST be unique and stable within the scope of the generating XMPP entity - Entities observing the value MUST NOT be able to infer any information from it - The value of 'id' MUST be considered a non-secret value.

(obviously, "MUST NOT be able to infer any information from it" is only practical to some extent, but that wouldn't be an issue for MAM would it)

I suggest to introduce a new stanza element, <mam-id>, that is not leaking any information.

With a "MUST NOT be equal to any of the other id elements or attributes of the message" requirement.

Can't tell if sarcasm

In https://xmpp.org/extensions/xep-0398.html#presence it's implied but not explicitly stated that the server should leave empty <photo/> elements alone. Why is that? (poke Daniel)

Iirc to give clients the option to join w/o avater

Not that it really makes sense. But I think that was the intention behind it

Some clarification there would be good I think

Quick update on the IM regulation. I just (accidentally) talked to someone who was on the SPD's (major party in Germany) digital working group thing. And it was her that Katharina barley asked in 2018 about IM regulation. And she contacted the CCC who was like "mhh we don't really know". And now it's apparently dead because according to her the SPD is not in a functional state right now

Cc Ge0rG

What was that article then a week ago? :/

dunno. i mean it did not have any sources. maybe it was old sources

or just made up

k

also she asked for me contact information and i wrote down my website and my email address and then she asked for my phone number because she doesn’t write email; and under pressure I couldn’t remember it (why do people think that 10 random numbers are a good ID) - i gues s i need a business card

"why do people think that 10 random numbers are a good ID" haha, I agree, and that's not even because of the infamous Zooko.

Daniel: did you take her phone number at least?

Ge0rG, no. it felt more like a "don’t call us we call you" situation

Daniel: that's a bit sad.

last time i tried to talk to a politician she offered to take a selfie with me

"PR, PR, PR"?

Daniel: looks like you learned the hard way how modern politics work...

daniel: maybe she wanted the phone number to contact you via signal? :-p