nycoa question:
https://fosstodon.org/web/statuses/103166428834063205 @sofia@chaos.social
@xmpp hi there!
i was wondering if XMPP has any standards or plans for self-verifying IDs? like if my public key (or it's hash) is a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8 then my id could be a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8@jabber.ccc.de and so everyone who knows my id automatically has a verified, secure channel to me..
sofia @sofia@chaos.social
oh, the same question goes to @matrix , too! it may even be more relevant to #matrix because i think they have a single default e2e encryption scheme, unlike XMPP. #selfVerifyingID
kokonoehas left
kokonoehas joined
!XSF_MartinLike adding your omemo ID to your jid in conversations?
!XSF_MartinIf you add me with this link in conversations you'll automatically have my omemo key verified.
Don't know if it's included in the omemo xep and other programs support this too.
!XSF_MartinMaybe Daniel can clarify.
mathijshas left
mathijshas joined
lorddavidiiihas left
lorddavidiiihas joined
mukt2has left
mukt2has joined
Ge0rG!XSF_Martin: I think the underlying idea is to use your key-id as an identifier instead of the localpart of the JID
Ge0rGif followed consequently, the domain part will be merely a routing identifier, i.e. "I'm currently holding my temporary state at jabber.ccc.de, but tomorrow it might be fancyjabs.biz"
!XSF_MartinWhere is this more unique/verified than your jid?
Ge0rGThe Matrix folks are in the process of retrofitting this mechanism after they found out that having a server responsible for your identity is a "dumb" idea ;)
!XSF_MartinOh, so that would need some sort of registry?
Ge0rG!XSF_Martin: no. it would need servers to verify your proof of key ownership
Ge0rG!XSF_Martin: but the resulting protocol would be a different subset of Zooko's triangle
!XSF_MartinAs a self hoster my domain and my jid on my website is proof enough for me. 😂
mukt2has left
Ge0rGnyco: does that help in answering?
8311has joined
kokonoehas left
nyconope, I don't understand this discussion, sorry... :)
I suggest some of you (who have fediverse accounts) engage the conversations, or you suggest me a text answer that I will post as @xmpp
pdurbinhas joined
mathijshas left
mathijshas joined
winfriedhas left
winfriedhas joined
pdurbinhas left
Ge0rGnyco: text suggestion:
In the federated XMPP IM network, user identity is always enforced by the respective servers, allowing for human-readable identifiers, and there are no current plans to change this. You could create an overlay network, where user accounts would authenticate to a server by their keypair, and the username part would be a hash or fingerprint resulting from this. To be secure, that approach would require that a client signs every piece of information that is stored on the server or transmitted to other systems, and each other system will have to verify that signature. The domain part of your ID would become merely a "drop box" for the data sent to you, as you could re-register with your key pair on any other domain, and XMPP would be just a routing layer for your overlay network with your currently-used server as a single point of failure. Eventually, you will realize that XMPP is not a perfect routing layer for such a protocol, and that there are better protocols for the requested traits of Zooko's triangle <https://en.wikipedia.org/wiki/Zooko%27s_triangle>
Ge0rGI hope this take isn't too cynical
flowat some point you end with the "dead drops" that vuvuzela.io uses
Ge0rGVuvuzela:
> Vuvuzela is a private chat application that hides metadata, including who you chat with and when you are chatting.
Also Vuvuzela:
> Create your Vuvuzela account [_] I am not a robot (reCAPTCHA)
Nekithas left
Nekithas joined
Ge0rGOnly reinforces me in my opinion not to trust things hosted on .IO domains
adiaholichas joined
goffihas joined
kokonoehas joined
winfriedhas left
winfriedhas joined
David Cridlandnyco, I think you touch on the answer there. Using hashes as addresses (which was first discussed for email, incidentally) has problems because you end up with a fixed (ie, non-agile) encryption mechanism. Moreover, what if a key is compromised? To have access to the key ends up implicitly granting access to the identity, so if your key is changed then so must your address. XMPP has tried overloading portions of the address with meanings other than routing; it really is a painful problem when those meanings diverge.
Steve Killehas left
Steve Killehas joined
David Cridlandnyco, An alternative solution is a secure method for binding a key to an identity. X.509, for example, uses a trusted third party to verify this, PGP uses a web of trust instead for much the same result. Many E2EE solutions use an-person verification solution (QR codes, fingerprints, etc), or simply "leap of faith", where you prove consistency rather than identity.
COM8has left
kokonoehas left
LNJhas joined
kokonoehas joined
David Cridlandnyco, FWIW, I don't think the question refers to Zooko's Triangle, since the question doesn't care about human readable names, but that notwithstanding, Ge0rG's answer is correct.
Danielhas left
Danielhas joined
COM8has joined
COM8has left
kokonoehas left
adiaholichas left
adiaholichas joined
kokonoehas joined
neshtaxmpphas joined
Ge0rGWhile the question does not refer to it, I still think that it's a valuable hint in understanding the problem space.
Ge0rGEven though I disagree with the Wikipedia list of things that have "solved" Zooko's
adiaholichas left
adiaholichas joined
debaclehas joined
kokonoehas left
kokonoehas joined
GuusWhat's the most up-to-date specification that we have on message deletion?
Guusor ephemeral messages?
GuusThere was some discussion on this a while back, but did that ever make it into a XEP?
kokonoehas left
ZashGuus: You mean actual deletion/retraction or the whole routing 2.0 thing?
Zashhttps://xmpp.org/extensions/xep-0424.html and https://xmpp.org/extensions/xep-0425.html are new
mimi89999has joined
Guus424 is what I'm after
Guusthanks
kokonoehas joined
jubalhhas joined
kokonoehas left
winfriedhas left
winfriedhas joined
Danielhas left
kokonoehas joined
Danielhas joined
Danielhas left
Danielhas joined
mukt2has joined
kokonoehas left
adiaholichas left
adiaholichas joined
COM8has joined
mukt2has left
COM8has left
adiaholichas left
adiaholichas joined
kokonoehas joined
debaclehas left
waqashas left
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
kokonoehas left
Dele (Mobile)has joined
kokonoehas joined
lorddavidiiihas left
kokonoehas left
lorddavidiiihas joined
8311has left
8311has joined
larmahas left
kokonoehas joined
Link Mauve“09:14:13 Ge0rG> Only reinforces me in my opinion not to trust things hosted on .IO domains”, yet you use poez.io!
Ge0rGorigin git://git.poez.io/poezio (fetch)
Damn it.
debaclehas joined
larmahas joined
Yagizahas left
Yagizahas joined
adiaholichas left
adiaholichas joined
kokonoehas left
kokonoehas joined
COM8has joined
adiaholichas left
adiaholichas joined
APachhas left
pdurbinhas joined
APachhas joined
COM8has left
mukt2has joined
Wojtekhas joined
adiaholichas left
adiaholichas joined
Marandahas left
Marandahas joined
pdurbinhas left
kokonoehas left
pdurbinhas joined
adiaholichas left
adiaholichas joined
winfriedhas left
winfriedhas joined
kokonoehas joined
mukt2has left
pdurbinhas left
krauqhas left
pdurbinhas joined
kokonoehas left
pep.Ge0rG, re hash as localpart, there could be non-trivial infrastructure added (DHT etc.) to allow this, and then a different bind method etc.
pep.The rest of the addressing would be the same
krauqhas joined
pep.It's not done at the moment, but un the same way we now have a CA XEP we could have a DHT xep :P
Ge0rGpep.: you'd only lose one of the basic aspects of XMPP
pep.how so
Ge0rGthat servers are responsible for managing accounts on them
Ge0rGa completely different question: a friend of mine is looking to integrate with Google Firebase via XMPP, and I can't even understand how Google is making use of XMPP for that API from the official docs
adiaholichas left
adiaholichas joined
Ge0rGare there any resources for people who *do* know how XMPP works?
Guus> but who will be where will be announced closer to the event.
pep.Ge0rG, servers could still be responsible for managing accounts on them. A user could choose where to have their account managed, and could also easily decide to move them around
GuusInteresting to find out if we get more space this year!
pep.(that's one possible answer to <moved/>)
ZashPeople lose their keys. Massive pain to have a key be your identity.
pep.Thaat's their issue, and it's always been
pep.They currently lose their password it's the same story
jonas’a password can be changed
ZashHas Summit 2020 dates been set?
jonas’if your identity is tied to your key ...
mukt2has joined
pep.jonas’, the operator has the responsability to decide if they allow giving access to a potential attacker :)
pep.I prefer to leave this responsability to the user themselves tbh
pep.it's been twitter somewhere and on the wiki yeah
pep.it's been tweeted somewhere and on the wiki yeah
pep.ralphm, any idea why Matrix is not included in the realtime lounge again?
pep.Why they can be separate from everyone else
pep.Next year can we have XMPP splitted as well if so?
ZashMarketing reasons I assume
pep.Why can't we have marketing as well
Guuspep. Probably history: the Realtime Lounge predates Matrix.
Guusat the time, joining forces gave better chances of all related projects being accepted.
pep.That doesn't really explain it to me. "Hey Matrix! We're going to put you in the realtime lounge", done.
GuusThat suggests that Fosdem organisation re-groups they applicants.
pep.I already raised this "issue" a few months ago fwiw
GuusThe realtime lounge is being asked for by a group of related projects. Matrix did their own request.
David CridlandGe0rG, The Firebase XMPP interface is actually a legacy one, which is why the docs are sparse.
GuusWe could ask them to join us, or we could ask for our one spot
pep.Guus, maybe we need to do the opposite then? Request a slot for XMPP itself
Ge0rGDavid Cridland: what's the official FCM API if you need upstream messages?
David CridlandI thought it was HTTP/2 for the shinies - you need messages from device to backend, do you?
Ge0rGI already know from Android development that you need at least one full-time developer just to keep up with Google changing APIs
Ge0rGDavid Cridland: exactly
Guuspep. yes we could do that. I'm not sure if that improves our chances of getting a spot though.
SeveIf we can apply to both, I guess is fine. Otherwise we would risk it and lose the spot entirely, is it?
David CridlandGe0rG, Send a normal push and then have the app callback with an XMPP session? :-)
kokonoehas joined
pep.Guus, well Matrix is getting their own.. I'm not sure why not
David CridlandAlso, didn't know there was Saturday-only and Sunday-only stands.
Ge0rGDavid Cridland: was that ironic?
Guusbecause there's a status quo. Also, other projects in the realtime lounge put in quite some effort to get things organized.
ralphmpep. we can totally have XMPP marketing there, and we've done that since forever
jubalhhas left
David CridlandGe0rG, Not entirely. But I don't know that it's a terrible idea - I find the feedback from Push pretty poor at the best of times.
ralphmDoing it as the Realtime Lounge just gave us a better chance of being accepted, than each individual project (XMPP, Jitsi, other RTC projects) on their own
Ge0rGDavid Cridland: https://firebase.google.com/docs/cloud-messaging/android/upstream clearly says that you need FCM XMPP for that
David CridlandGe0rG, Oh, still? Well, that's good I suppose.
Ge0rGDavid Cridland: feedback from your developers doing Push regarding reliability / real-time?
pep.ralphm, people see "Matrix" and they don't see "XMPP"
pep.We're not playing on the same field
Zashpep.: XMPP isn't a FOSS project
ralphmZash: the dates were announced even by e-mail on several mailinglists on Aug 11, including summit@.
David CridlandGe0rG, You might be able to make some sense out of the Python asyncio FCM library, I know that uses XMPP.
ralphmpep. on the schedule you mean, yes, that is true. On the floor, they totally see XMPP.
pep.Zash, that's another problem sure. XMPP unlike Matrix is not a standard, an implementation, a company, etc. all at the same time
LNJhas left
Wojtekhas left
GuusNote that we get a lot of benefit from bundling forces. Saul does most of the organizing and often is manning the devroom too.
Wojtekhas joined
GuusOur exposure on the floor is pretty good
Ge0rGDavid Cridland: let's move this into private chat. I'm currently looking at Smack as an FCM client library
Guus(we could improve the look and feel, but there's definitely a XMPP presence - basically all of the lounge is XMPP)
pep.Ge0rG, I think our exposure is pretty bad, but that's another topic
Yagizahas left
pep.In the corner where nobody goes
Yagizahas joined
GuusYeah, we've asked for more space in a different location
Guusbut that wouldn't change by going alone - if anything, we'd get less space.
Guusbut that wouldn't change by going at it alone - if anything, we'd get less space.
David CridlandFWIW, +1 to different location - we're very much in the corner at the moment. But also quite happy as a group.
GuusFor years, XMPP effectively took all of the floor space that is ment to be shared with a few projects - so we're not doing bad there.
GuusYeah, the location thing has, again, be asked for explicitly. But that's out of our hands.
ZashIt's a pretty cozy corner FWIW
GuusThe corner isn't to bad, but it now has to many stands in it
David Cridlandralphm, Oh, my wife says to ask you for green hoodies this year.
pep.Who decides for the hoodies btw? Can anybody see the swag before it gets printed?
GuusSo, by doing our own application, we'd reduce the chance of being accepted, run the risk of getting less space on the floor, will have to do our own organizing (especially for the Dev room). Only to get 'XMPP' printed on the folders? For me, that's not enough added value.
Guuspep. we desperately want people to provide content there!
Guuslast year, Dave and Ralph came up with designs
David CridlandI didn't!
Guusbut please, suggest stuff
Guusthe bottle openers were yours!
ZashAnd as noted, FOSDEM is more for FOSS projects, which XMPP isn't.
David CridlandOh, the text, in which I missed a better gag.
GuusSee, we need better content pep. - dwd has been failing us! 😃
David CridlandThe original (grey) hoodies were my design, though.
ZashClassic
Shellhas joined
David CridlandI think we should do pens and notebooks if we can, must be a "messaging" joke there.
ZashLetter openers?
ZashFor extra fun at the airport
Guusempty cans with strings.
ZashHaha
Guuswe'll brand them "Matrix" >;-)
David CridlandNice.
Guusback to fixing bugs left by on 'dave' in our codebase
Guusback to fixing bugs left by one 'dave' in our codebase
David CridlandA new t-shirt design would be good, if we could think of one.
David Cridlandchecks name
David CridlandCan't be me then.
Guusstream management.
David CridlandThat was Jonny.
Guusfun things happen when a client reconnects using the same resource
David CridlandOh, interesting.
pep.Guus, isn't that what is done nowadays? :x
pep.(using the same resource)
ZashReplacing the previous one instead of resuming it?
pep.ah
kokonoehas left
Nekithas left
Nekithas joined
GuusThere's a couple of things going wrong. Long story short: the new session is kicked after the TTL for the original session elapses.
GuusBut with various periodic tasks, and behavior different between clients, and a requirement of a previous session to have existed, made this hard to reproduce 🙂
ZashReference to the resource instead of the session itself?
ralphmpep., I shared my designs with several people involved with organising for the Summit / FOSDEM before they went to print
GuusZash yup
Guusralphm Do we still have orange ones? I ruined mine 😞
ralphmDavid Cridland, suggestion of 'Green Hoodies' noted.
ZashGreen like the logo?
David Cridlandralphm, It'd be quite fun to have a rainbox of colours available.
ZashLogo colors?
ralphmGuus: a couple, but maybe not all sizes. I'm not at home right now, but can check.
ZashPhoto shoot with people arranged in the shape of the logo, with proper colors?
GuusDavid Cridland pretty expensive too, if you want to do them in all sizes.
Guusralphm thanks
ralphmDavid Cridland, the problem with many color options is that I would want to know upfront who wants which size/color.
David CridlandFWIW, I have to admit I don't much like the sleeve print. Perhaps I'm too old and uncool for that.
MattJPotentially anyone travelling from the UK with merchandise for sale at FOSDEM may be in an interesting situation next year
ralphmDavid Cridland, quite
David Cridlandcries
kokonoehas joined
Link MauveMattJ, nah, https://twitter.com/julianpopov/status/1185664196178042880
ralphmMattJ, why? You'd leave before brexit, but come back after :-D
Link MauveThe XMPP logo we printed on the flyers for Capitole du Libre last weekend was much darker and less shiny than on a computer screen. :(
MattJWould that make me an exporter from the EU??
Link MauvePaper is hard.
ralphmAlso, the better plan recently has been shipping it to my address, as we also have a van for the event.
Shellhas left
Shellhas joined
Ge0rGralphm: add some XMPP-branded sweets and you can spray "free candy inside" on the van door
GuusLOL
jubalhhas joined
ralphmYeah, our region is market leader in that stuff. Should be easy.
moparisthebesthas joined
ralphmReminds me of the Breaking Bad session at RealtimeConf: https://vimeo.com/77799055
ralphmOh, how I miss RealtimeConf
kokonoehas left
MattJIndeed
pep.hah that's a cool session
Zashpep., did you have Prosody stickers btw?
pep.I did
kokonoehas joined
pep.There's like 5 left
Shellhas left
David Cridlandhas left
David Cridlandhas joined
ralphmpep., 'cool' doesn't even begin to describe this. This was a conference with its own novel, graphic novel, and play + soundtrack (played live in between the sessions)
Shellhas joined
ralphmputs on https://benmichel.bandcamp.com/
kokonoehas left
Nekithas left
Nekithas joined
pdurbinhas left
kokonoehas joined
pep.nice
Calvinhas joined
Shellhas left
Shellhas joined
winfriedhas left
winfriedhas joined
Shellhas left
Shellhas joined
kokonoehas left
mukt2has left
jubalhhas left
kokonoehas joined
Calvinhas left
Calvinhas joined
mukt2has joined
winfriedhas left
winfriedhas joined
LNJhas joined
winfriedhas left
8311has left
winfriedhas joined
8311has joined
calvinhas joined
Calvinhas left
Calvinhas joined
alameyohas left
alameyohas joined
kokonoehas left
Calvinhas left
Calvinhas joined
rionhas left
ajhas joined
ajhas left
rionhas joined
Calvinhas left
Calvinhas joined
mukt2has left
j.rhas left
j.rhas joined
Calvinhas left
pep.thoughts about having the muc service also provide an http upload/jingle component or sth to upload files? For when the user server doesn't provide it.
Holgerhas left
pep.Maybe there are times where it makes more sense to have it on the muc at all rather than the user's server.
Ge0rGpep.: I totally agree. It's also a minor privacy leak to see your private server's HTTP URL in a MUC
Holgerhas joined
Zashpep.: Not opposed. Authz via affiliation or such?
pep.Sure
Ge0rGZash: via occupancy?
Ge0rGMaybe the MUC domain should just allow the 0363 IQs to all JIDs that are joined to at least one MUC
MattJInteresting that you could then upload the files to a MUC service and then post the links elsewhere
ZashO(rooms) lookup?
LNJhas left
pep.MattJ, I guess that's "already an issue" anyway? you can create an anonymous user on most public servers and upload something there
pep.Or even just any real account
MattJSure
ZashIf it's tied to a single room then it could automatically be broadcast on upload too
Ge0rGGood luck figuring out the race conditions between the sending client's message and that