a question:
https://fosstodon.org/web/statuses/103166428834063205 @sofia@chaos.social
@xmpp hi there!
i was wondering if XMPP has any standards or plans for self-verifying IDs? like if my public key (or it's hash) is a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8 then my id could be a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e3b627e5675c8@jabber.ccc.de and so everyone who knows my id automatically has a verified, secure channel to me..
sofia @sofia@chaos.social
oh, the same question goes to @matrix , too! it may even be more relevant to #matrix because i think they have a single default e2e encryption scheme, unlike XMPP. #selfVerifyingID
kokonoehas left
kokonoehas joined
!XSF_Martin
Like adding your omemo ID to your jid in conversations?
If you add me with this link in conversations you'll automatically have my omemo key verified.
Don't know if it's included in the omemo xep and other programs support this too.
!XSF_Martin
Maybe Daniel can clarify.
mathijshas left
mathijshas joined
lorddavidiiihas left
lorddavidiiihas joined
mukt2has left
mukt2has joined
Ge0rG
!XSF_Martin: I think the underlying idea is to use your key-id as an identifier instead of the localpart of the JID
Ge0rG
if followed consequently, the domain part will be merely a routing identifier, i.e. "I'm currently holding my temporary state at jabber.ccc.de, but tomorrow it might be fancyjabs.biz"
!XSF_Martin
Where is this more unique/verified than your jid?
Ge0rG
The Matrix folks are in the process of retrofitting this mechanism after they found out that having a server responsible for your identity is a "dumb" idea ;)
!XSF_Martin
Oh, so that would need some sort of registry?
Ge0rG
!XSF_Martin: no. it would need servers to verify your proof of key ownership
Ge0rG
!XSF_Martin: but the resulting protocol would be a different subset of Zooko's triangle
As a self hoster my domain and my jid on my website is proof enough for me. 😂
mukt2has left
Ge0rG
nyco: does that help in answering?
8311has joined
kokonoehas left
nyco
nope, I don't understand this discussion, sorry... :)
I suggest some of you (who have fediverse accounts) engage the conversations, or you suggest me a text answer that I will post as @xmpp
pdurbinhas joined
mathijshas left
mathijshas joined
winfriedhas left
winfriedhas joined
pdurbinhas left
Ge0rG
nyco: text suggestion:
In the federated XMPP IM network, user identity is always enforced by the respective servers, allowing for human-readable identifiers, and there are no current plans to change this. You could create an overlay network, where user accounts would authenticate to a server by their keypair, and the username part would be a hash or fingerprint resulting from this. To be secure, that approach would require that a client signs every piece of information that is stored on the server or transmitted to other systems, and each other system will have to verify that signature. The domain part of your ID would become merely a "drop box" for the data sent to you, as you could re-register with your key pair on any other domain, and XMPP would be just a routing layer for your overlay network with your currently-used server as a single point of failure. Eventually, you will realize that XMPP is not a perfect routing layer for such a protocol, and that there are better protocols for the requested traits of Zooko's triangle <https://en.wikipedia.org/wiki/Zooko%27s_triangle>
Ge0rG
I hope this take isn't too cynical
flow
at some point you end with the "dead drops" that vuvuzela.io uses
Ge0rG
Vuvuzela:
> Vuvuzela is a private chat application that hides metadata, including who you chat with and when you are chatting.
Also Vuvuzela:
> Create your Vuvuzela account [_] I am not a robot (reCAPTCHA)
Nekithas left
Nekithas joined
Ge0rG
Only reinforces me in my opinion not to trust things hosted on .IO domains
adiaholichas joined
goffihas joined
kokonoehas joined
winfriedhas left
winfriedhas joined
David Cridland
nyco, I think you touch on the answer there. Using hashes as addresses (which was first discussed for email, incidentally) has problems because you end up with a fixed (ie, non-agile) encryption mechanism. Moreover, what if a key is compromised? To have access to the key ends up implicitly granting access to the identity, so if your key is changed then so must your address. XMPP has tried overloading portions of the address with meanings other than routing; it really is a painful problem when those meanings diverge.
Steve Killehas left
Steve Killehas joined
David Cridland
nyco, An alternative solution is a secure method for binding a key to an identity. X.509, for example, uses a trusted third party to verify this, PGP uses a web of trust instead for much the same result. Many E2EE solutions use an-person verification solution (QR codes, fingerprints, etc), or simply "leap of faith", where you prove consistency rather than identity.
COM8has left
kokonoehas left
LNJhas joined
kokonoehas joined
David Cridland
nyco, FWIW, I don't think the question refers to Zooko's Triangle, since the question doesn't care about human readable names, but that notwithstanding, Ge0rG's answer is correct.
Danielhas left
Danielhas joined
COM8has joined
COM8has left
kokonoehas left
adiaholichas left
adiaholichas joined
kokonoehas joined
neshtaxmpphas joined
Ge0rG
While the question does not refer to it, I still think that it's a valuable hint in understanding the problem space.
Ge0rG
Even though I disagree with the Wikipedia list of things that have "solved" Zooko's
adiaholichas left
adiaholichas joined
debaclehas joined
kokonoehas left
kokonoehas joined
Guus
What's the most up-to-date specification that we have on message deletion?
Guus
or ephemeral messages?
Guus
There was some discussion on this a while back, but did that ever make it into a XEP?
kokonoehas left
Zash
Guus: You mean actual deletion/retraction or the whole routing 2.0 thing?
Zash
https://xmpp.org/extensions/xep-0424.html and https://xmpp.org/extensions/xep-0425.html are new
mimi89999has joined
Guus
424 is what I'm after
Guus
thanks
kokonoehas joined
jubalhhas joined
kokonoehas left
winfriedhas left
winfriedhas joined
Danielhas left
kokonoehas joined
Danielhas joined
Danielhas left
Danielhas joined
mukt2has joined
kokonoehas left
adiaholichas left
adiaholichas joined
COM8has joined
mukt2has left
COM8has left
adiaholichas left
adiaholichas joined
kokonoehas joined
debaclehas left
waqashas left
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
kokonoehas left
Dele (Mobile)has joined
kokonoehas joined
lorddavidiiihas left
kokonoehas left
lorddavidiiihas joined
8311has left
8311has joined
larmahas left
kokonoehas joined
Link Mauve
“09:14:13 Ge0rG> Only reinforces me in my opinion not to trust things hosted on .IO domains”, yet you use poez.io!
Ge0rG
origin git://git.poez.io/poezio (fetch)
Damn it.
debaclehas joined
larmahas joined
Yagizahas left
Yagizahas joined
adiaholichas left
adiaholichas joined
kokonoehas left
kokonoehas joined
COM8has joined
adiaholichas left
adiaholichas joined
APachhas left
pdurbinhas joined
APachhas joined
COM8has left
mukt2has joined
Wojtekhas joined
adiaholichas left
adiaholichas joined
Marandahas left
Marandahas joined
pdurbinhas left
kokonoehas left
pdurbinhas joined
adiaholichas left
adiaholichas joined
winfriedhas left
winfriedhas joined
kokonoehas joined
mukt2has left
pdurbinhas left
krauqhas left
pdurbinhas joined
kokonoehas left
pep.
Ge0rG, re hash as localpart, there could be non-trivial infrastructure added (DHT etc.) to allow this, and then a different bind method etc.
pep.
The rest of the addressing would be the same
krauqhas joined
pep.
It's not done at the moment, but un the same way we now have a CA XEP we could have a DHT xep :P
Ge0rG
pep.: you'd only lose one of the basic aspects of XMPP
pep.
how so
Ge0rG
that servers are responsible for managing accounts on them
Ge0rG
a completely different question: a friend of mine is looking to integrate with Google Firebase via XMPP, and I can't even understand how Google is making use of XMPP for that API from the official docs
adiaholichas left
adiaholichas joined
Ge0rG
are there any resources for people who *do* know how XMPP works?
> but who will be where will be announced closer to the event.
pep.
Ge0rG, servers could still be responsible for managing accounts on them. A user could choose where to have their account managed, and could also easily decide to move them around
Guus
Interesting to find out if we get more space this year!
pep.
(that's one possible answer to <moved/>)
Zash
People lose their keys. Massive pain to have a key be your identity.
pep.
Thaat's their issue, and it's always been
pep.
They currently lose their password it's the same story
jonas’
a password can be changed
Zash
Has Summit 2020 dates been set?
jonas’
if your identity is tied to your key ...
mukt2has joined
pep.
jonas’, the operator has the responsability to decide if they allow giving access to a potential attacker :)
pep.
I prefer to leave this responsability to the user themselves tbh
it's been tweeted somewhere and on the wiki yeah ✏
pep.
ralphm, any idea why Matrix is not included in the realtime lounge again?
pep.
Why they can be separate from everyone else
pep.
Next year can we have XMPP splitted as well if so?
Zash
Marketing reasons I assume
pep.
Why can't we have marketing as well
Guus
pep. Probably history: the Realtime Lounge predates Matrix.
Guus
at the time, joining forces gave better chances of all related projects being accepted.
pep.
That doesn't really explain it to me. "Hey Matrix! We're going to put you in the realtime lounge", done.
Guus
That suggests that Fosdem organisation re-groups they applicants.
pep.
I already raised this "issue" a few months ago fwiw
Guus
The realtime lounge is being asked for by a group of related projects. Matrix did their own request.
David Cridland
Ge0rG, The Firebase XMPP interface is actually a legacy one, which is why the docs are sparse.
Guus
We could ask them to join us, or we could ask for our one spot
pep.
Guus, maybe we need to do the opposite then? Request a slot for XMPP itself
Ge0rG
David Cridland: what's the official FCM API if you need upstream messages?
David Cridland
I thought it was HTTP/2 for the shinies - you need messages from device to backend, do you?
Ge0rG
I already know from Android development that you need at least one full-time developer just to keep up with Google changing APIs
Ge0rG
David Cridland: exactly
Guus
pep. yes we could do that. I'm not sure if that improves our chances of getting a spot though.
Seve
If we can apply to both, I guess is fine. Otherwise we would risk it and lose the spot entirely, is it?
David Cridland
Ge0rG, Send a normal push and then have the app callback with an XMPP session? :-)
kokonoehas joined
pep.
Guus, well Matrix is getting their own.. I'm not sure why not
David Cridland
Also, didn't know there was Saturday-only and Sunday-only stands.
Ge0rG
David Cridland: was that ironic?
Guus
because there's a status quo. Also, other projects in the realtime lounge put in quite some effort to get things organized.
ralphm
pep. we can totally have XMPP marketing there, and we've done that since forever
jubalhhas left
David Cridland
Ge0rG, Not entirely. But I don't know that it's a terrible idea - I find the feedback from Push pretty poor at the best of times.
ralphm
Doing it as the Realtime Lounge just gave us a better chance of being accepted, than each individual project (XMPP, Jitsi, other RTC projects) on their own
Ge0rG
David Cridland: https://firebase.google.com/docs/cloud-messaging/android/upstream clearly says that you need FCM XMPP for that
David Cridland
Ge0rG, Oh, still? Well, that's good I suppose.
Ge0rG
David Cridland: feedback from your developers doing Push regarding reliability / real-time?
pep.
ralphm, people see "Matrix" and they don't see "XMPP"
pep.
We're not playing on the same field
Zash
pep.: XMPP isn't a FOSS project
ralphm
Zash: the dates were announced even by e-mail on several mailinglists on Aug 11, including summit@.
David Cridland
Ge0rG, You might be able to make some sense out of the Python asyncio FCM library, I know that uses XMPP.
ralphm
pep. on the schedule you mean, yes, that is true. On the floor, they totally see XMPP.
pep.
Zash, that's another problem sure. XMPP unlike Matrix is not a standard, an implementation, a company, etc. all at the same time
LNJhas left
Wojtekhas left
Guus
Note that we get a lot of benefit from bundling forces. Saul does most of the organizing and often is manning the devroom too.
Wojtekhas joined
Guus
Our exposure on the floor is pretty good
Ge0rG
David Cridland: let's move this into private chat. I'm currently looking at Smack as an FCM client library
Guus
(we could improve the look and feel, but there's definitely a XMPP presence - basically all of the lounge is XMPP)
pep.
Ge0rG, I think our exposure is pretty bad, but that's another topic
Yagizahas left
pep.
In the corner where nobody goes
Yagizahas joined
Guus
Yeah, we've asked for more space in a different location
Guus
but that wouldn't change by going alone - if anything, we'd get less space.✎
Guus
but that wouldn't change by going at it alone - if anything, we'd get less space. ✏
David Cridland
FWIW, +1 to different location - we're very much in the corner at the moment. But also quite happy as a group.
Guus
For years, XMPP effectively took all of the floor space that is ment to be shared with a few projects - so we're not doing bad there.
Guus
Yeah, the location thing has, again, be asked for explicitly. But that's out of our hands.
Zash
It's a pretty cozy corner FWIW
Guus
The corner isn't to bad, but it now has to many stands in it
David Cridland
ralphm, Oh, my wife says to ask you for green hoodies this year.
pep.
Who decides for the hoodies btw? Can anybody see the swag before it gets printed?
Guus
So, by doing our own application, we'd reduce the chance of being accepted, run the risk of getting less space on the floor, will have to do our own organizing (especially for the Dev room). Only to get 'XMPP' printed on the folders? For me, that's not enough added value.
Guus
pep. we desperately want people to provide content there!
Guus
last year, Dave and Ralph came up with designs
David Cridland
I didn't!
Guus
but please, suggest stuff
Guus
the bottle openers were yours!
Zash
And as noted, FOSDEM is more for FOSS projects, which XMPP isn't.
David Cridland
Oh, the text, in which I missed a better gag.
Guus
See, we need better content pep. - dwd has been failing us! 😃
David Cridland
The original (grey) hoodies were my design, though.
Zash
Classic
Shellhas joined
David Cridland
I think we should do pens and notebooks if we can, must be a "messaging" joke there.
Zash
Letter openers?
Zash
For extra fun at the airport
Guus
empty cans with strings.
Zash
Haha
Guus
we'll brand them "Matrix" >;-)
David Cridland
Nice.
Guusback to fixing bugs left by on 'dave' in our codebase
A new t-shirt design would be good, if we could think of one.
David Cridlandchecks name
David Cridland
Can't be me then.
Guus
stream management.
David Cridland
That was Jonny.
Guus
fun things happen when a client reconnects using the same resource
David Cridland
Oh, interesting.
pep.
Guus, isn't that what is done nowadays? :x
pep.
(using the same resource)
Zash
Replacing the previous one instead of resuming it?
pep.
ah
kokonoehas left
Nekithas left
Nekithas joined
Guus
There's a couple of things going wrong. Long story short: the new session is kicked after the TTL for the original session elapses.
Guus
But with various periodic tasks, and behavior different between clients, and a requirement of a previous session to have existed, made this hard to reproduce 🙂
Zash
Reference to the resource instead of the session itself?
ralphm
pep., I shared my designs with several people involved with organising for the Summit / FOSDEM before they went to print
Guus
Zash yup
Guus
ralphm Do we still have orange ones? I ruined mine 😞
ralphm
David Cridland, suggestion of 'Green Hoodies' noted.
Zash
Green like the logo?
David Cridland
ralphm, It'd be quite fun to have a rainbox of colours available.
Zash
Logo colors?
ralphm
Guus: a couple, but maybe not all sizes. I'm not at home right now, but can check.
Zash
Photo shoot with people arranged in the shape of the logo, with proper colors?
Guus
David Cridland pretty expensive too, if you want to do them in all sizes.
Guus
ralphm thanks
ralphm
David Cridland, the problem with many color options is that I would want to know upfront who wants which size/color.
David Cridland
FWIW, I have to admit I don't much like the sleeve print. Perhaps I'm too old and uncool for that.
MattJ
Potentially anyone travelling from the UK with merchandise for sale at FOSDEM may be in an interesting situation next year
MattJ, why? You'd leave before brexit, but come back after :-D
Link Mauve
The XMPP logo we printed on the flyers for Capitole du Libre last weekend was much darker and less shiny than on a computer screen. :(
MattJ
Would that make me an exporter from the EU??
Link Mauve
Paper is hard.
ralphm
Also, the better plan recently has been shipping it to my address, as we also have a van for the event.
Shellhas left
Shellhas joined
Ge0rG
ralphm: add some XMPP-branded sweets and you can spray "free candy inside" on the van door
Guus
LOL
jubalhhas joined
ralphm
Yeah, our region is market leader in that stuff. Should be easy.
moparisthebesthas joined
ralphm
Reminds me of the Breaking Bad session at RealtimeConf: https://vimeo.com/77799055
ralphm
Oh, how I miss RealtimeConf
kokonoehas left
MattJ
Indeed
pep.
hah that's a cool session
Zash
pep., did you have Prosody stickers btw?
pep.
I did
kokonoehas joined
pep.
There's like 5 left
Shellhas left
David Cridlandhas left
David Cridlandhas joined
ralphm
pep., 'cool' doesn't even begin to describe this. This was a conference with its own novel, graphic novel, and play + soundtrack (played live in between the sessions)
Shellhas joined
ralphmputs on https://benmichel.bandcamp.com/
kokonoehas left
Nekithas left
Nekithas joined
pdurbinhas left
kokonoehas joined
pep.
nice
Calvinhas joined
Shellhas left
Shellhas joined
winfriedhas left
winfriedhas joined
Shellhas left
Shellhas joined
kokonoehas left
mukt2has left
jubalhhas left
kokonoehas joined
Calvinhas left
Calvinhas joined
mukt2has joined
winfriedhas left
winfriedhas joined
LNJhas joined
winfriedhas left
8311has left
winfriedhas joined
8311has joined
calvinhas joined
Calvinhas left
Calvinhas joined
alameyohas left
alameyohas joined
kokonoehas left
Calvinhas left
Calvinhas joined
rionhas left
ajhas joined
ajhas left
rionhas joined
Calvinhas left
Calvinhas joined
mukt2has left
j.rhas left
j.rhas joined
Calvinhas left
pep.
thoughts about having the muc service also provide an http upload/jingle component or sth to upload files? For when the user server doesn't provide it.
Holgerhas left
pep.
Maybe there are times where it makes more sense to have it on the muc at all rather than the user's server.
Ge0rG
pep.: I totally agree. It's also a minor privacy leak to see your private server's HTTP URL in a MUC
Holgerhas joined
Zash
pep.: Not opposed. Authz via affiliation or such?
pep.
Sure
Ge0rG
Zash: via occupancy?
Ge0rG
Maybe the MUC domain should just allow the 0363 IQs to all JIDs that are joined to at least one MUC
MattJ
Interesting that you could then upload the files to a MUC service and then post the links elsewhere
Zash
O(rooms) lookup?
LNJhas left
pep.
MattJ, I guess that's "already an issue" anyway? you can create an anonymous user on most public servers and upload something there
pep.
Or even just any real account
MattJ
Sure
Zash
If it's tied to a single room then it could automatically be broadcast on upload too
Ge0rG
Good luck figuring out the race conditions between the sending client's message and that
Calvinhas joined
adiaholichas left
adiaholichas joined
adiaholichas left
adiaholichas joined
mukt2has joined
adiaholichas left
adiaholichas joined
Calvinhas left
Calvinhas joined
jubalhhas joined
calvinhas left
mukt2has left
adiaholichas left
adiaholichas joined
Calvinhas left
Calvinhas joined
mukt2has joined
pdurbinhas joined
mukt2has left
Calvinhas left
Shellhas left
Shellhas joined
andrey.ghas left
Shellhas left
Shellhas joined
pdurbinhas left
intosihas left
Calvinhas joined
intosihas joined
Shellhas left
Shellhas joined
calvinhas joined
patrickhas joined
Calvinhas left
Calvinhas joined
Shellhas left
andrey.ghas joined
jubalhhas left
Nekithas left
mukt2has joined
Calvinhas left
j.rhas left
j.rhas joined
nyco
https://brandimage.io/insight/XMPP?source=reddit
Nekithas joined
nyco
https://brandimage.io/insight/XMPP?source=hn
pep.
"A web page is slowing down your browser. What would you like to do?"
nyco
indeed, it may be slow
weird on my old computer and tab-overloaded browsers I don't have this warning