-
Guus
Is wiki.xmpp.org dreadfully slow for anyone but me?
-
Guus
Uhoh.
-
Guus
https://igniterealtime.org:443/httpfileupload/jiYCE27cESUD4UHmnYmyBSCeJVg/image.png
-
Ge0rG
same here
-
Ge0rG
MattJ: are you in a position to look at it?
-
MattJ
No :D
-
MattJ
Stirring porridge with one hand, holding a baby in the other, not near my laptop
-
Zash
How are you typing ! ?
-
Ge0rG
"Ok, Google!"
-
MattJ
Sorry, just found the gap between being in a position to fix the wiki and my actual situation comically high
-
Ge0rG
MattJ: just don't drop the baby, right?
-
Guus
or the porridge
-
Ge0rG
my priority would be baby > laptop > smartphone > porridge
-
Guus
We will take your suggestion under advisement.
-
jonas’
MattJ, at least the house isn’t on fire :D
-
Ge0rG
everything is fine.
-
jonas’
(totally made up combination of events which most definitely did not happen to anyone I know and they most definitely did not prioritize feeding the porridge over getting out of the house. luckily, and most definitely, the fire was small and nobody was harmed in this definitely made up situation)
-
MattJ
The wiki might be a bit more responsive now
-
MattJ
As far as I can tell it's being aggressively crawled by something
-
MattJ
Going into every "What links here" and diff pages, etc.
-
MattJ
So it's still slow
-
dwd
Do you also have an update on the porridge/baby situation?
-
MattJ
The porridge was mostly successfully consumed, even if the messy high chair, table and floor didn't look like it when my wife came in. And now baby duty is successfully handed over. I'm ready to take on the easier part of my day now :)
-
vanitasvitae
What happens if XEP-A is having a namespace bump, and XEP-B is depending on XEP-A? Is XEP-B required to bump its namespace as well?
-
dwd
Same rules apply. We bump namespaces if not doing so would otherwise cause aa interoperability problem.
-
jonas’
vanitasvitae, terror ensues
-
jonas’
see MIX
-
jonas’
where parts still use an old pam: namespace, which is confusing for implementations
-
jonas’
as they now have to support both namespaces for the specs-as-written
-
vanitasvitae
Okay, thanks
-
flow
vanitasvitae, ideally XEP-B would not simply depend on XEP-A but on (XEP-A, xep-a-namespace)
-
Guus
Thanks Matt. Good to know that the wiki isn't broken.
-
vanitasvitae
flow: got it. In that case a bump would not be required for XEP-B? Only if XEP-B would be uodated to use XEP-A:++?
-
jonas’
vanitasvitae, see what I wrote. that’s a PITA for developers.
-
jonas’
there’s not much of a sane way out of that with the way we currently bump namespaces
-
Kev
Namespaces should only be bumped if you can't interoperate under the existing namespace - almost always you can. We have bumped too often, I have little doubt.
-
Ge0rG
And in most cases you can accomplish the change with a new feature element
-
Kev
Yes.
-
Guus
There are no circumstances where it would be allowable to use an intermediate as a trust anchor (meaning, not validating the issuer of the intermadiate) when validating a certificate chain, correct?
-
Zash
I think in DANE that's a thing
-
Zash
You could also cache known indermediates and so allow people to have broken setups.
-
Ge0rG
Guus: if the intermediate is in your trusted root set, it should be safe to abort further validation
-
Guus
My concern is that any revocation checks are thus bypassed.
-
Guus
which arguably is acceptable if the intermediate has been willingly placed in a 'trusted' root set, I suppose...
-
Ge0rG
well, CRLs don't work anyway.
-
jonas’
Guus, the intermediate could also have its own CRL, right?
-
jonas’
thinking about the Let’s Encrypt transition period where they had their "root" signed by another well-known CA to be trusted right away on all systems
-
Guus
jonas’ I'm thinking that the CRL as advocated by the intermediate is primarily used to verify certificates issued by it. Should one trust an intermediate-provided CRL to include the intermediate itself, if, for some reason, it should not be trusted anymore? That does not feel particularly safe.
-
Zash
Guus, are you working on a crypto library?
-
Guus
As in: an intermediate that goes malicious won't ever include itself in the CRL.
-
Guus
Zash no, I want to understand how these details are supposed to work.
-
Zash
It seems reasonable that the revocation methods listed in a CA cert applies to the certs it issues
-
jonas’
Guus, ah, I see; well, what Guus said then; if you have something in your trust store, you don’t check the CRL for it. It’s in your trust store after all.
-
jonas’
s/Guus said/Ge0rG said/
-
Guus
I'm still not sure if that's correct. The entire reason for having CRL's is to be able to revoke an earlier decision to trust something.
-
Guus
What do you do when you have an intermediate as well as its issuer in your truststore, and the issuer adds the intermediate to its CRL?
-
Guus
Accept it, since it's in your truststore (which there should not be a need for, so I can understand the argument)
-
Zash
I suppose if you kept intermediates, you'd want to treat it as a RLU cache or somesuch, and then peridically check it against CRLs?
-
Zash
Isn't OCSP stamping(?) the thing now however? I.e. the server checks its own certificate and includes a "this is still valid" in TLS handshakes.
-
Zash
With CRLs and OCSP being fail-open which is weird for a security thing.
-
flow
vanitasvitae> flow: got it. In that case a bump would not be required for XEP-B? Only if XEP-B would be uodated to use XEP-A:++? Since there nothing has changed in XEP-B, no bump is required
-
dwd
Zash, I believe that given an cert, there are extensions available to find, download, and then cache the signer, so you can keep going until you find a known TA or a self-signed cert.
-
dwd
s/signer/issuer/ - I'm not thinking today. I think the AIA extension should help. http://pkiglobe.org/auth_info_access.html
-
dwd
Zash, Also, you're thinking OCSP Stapling, and for XMPP servers, I think you fetch the CRL periodically, and use that as a fallback to OCSP (with or without stapling), and if you can't do CRL or OCSP then fail.
-
dwd
Zash, My theory here is that there are very few CRLs you actually need as a server, so you're very likely to have that, and an attack which causes OCSP to fail then has a very small window to work with.
-
Zash
100% Let's Encrypt probably.
-
dwd
Probably 5 or 6 different CRLs, though 99% LE, yes.
-
moparisthebest
emus: very good work on newsletter once again, it's much appreciated :)
-
Guus
what he said ^
-
emus
❤ Thank you guys, very happy you like it!
-
jonas’
Guus, ah, but CRLs are to revoke trust by the signer.
-
jonas’
while truststores are configured locally and have nothing to do with the signer
-
jonas’
(if it exists at all)
-
jonas’
so to revoke trust in a certificate from a trust store, you remove it from the trust store.
-
flow
hmm I was assuming that the CRLs override the trust from the truststore
-
flow
to check, the truststore is where your trusted root CAs certs are?
-
jonas’
yes
-
flow
ahh ok, I think I figured out where I went wrong
-
dwd
flow, A CRL lists the signatures by an issuer that are no longer valid, in effect. An issuer *could* be a TA, but is more likely to be an intermediate cert.