XSF Discussion - 2020-11-06

  1. Seve has left

  2. Vaulor has left

  3. paul has left

  4. lorddavidiii has left

  5. deuill has joined

  6. slouchy6 has left

  7. debacle has left

  8. deuill has left

  9. lskdjf has left

  10. deuill has joined

  11. govanify has left

  12. govanify has joined

  13. Maranda has left

  14. Maranda has joined

  15. akkiko has joined

  16. adityaborikar has joined

  17. adityaborikar has left

  18. adityaborikar has joined

  19. neshtaxmpp has left

  20. alameyo has left

  21. adiaholic has left

  22. adiaholic has joined

  23. adityaborikar has left

  24. Yagiza has joined

  25. wladmis has left

  26. wladmis has joined

  27. alameyo has joined

  28. govanify has left

  29. govanify has joined

  30. akkiko has left

  31. govanify has left

  32. govanify has joined

  33. Neustradamus has left

  34. Neustradamus has joined

  35. govanify has left

  36. govanify has joined

  37. alameyo has left

  38. Mikaela has joined

  39. Seve has joined

  40. Vaulor has joined

  41. Neustradamus has left

  42. Neustradamus has joined

  43. jcbrand has joined

  44. pasdesushi has joined

  45. paul has joined

  46. ChronosX88 has joined

  47. Lance has joined

  48. Lance has left

  49. wurstsalat has joined

  50. pasdesushi has left

  51. pasdesushi has joined

  52. alameyo has joined

  53. LNJ has joined

  54. govanify has left

  55. govanify has joined

  56. lorddavidiii has joined

  57. APach has left

  58. winfried has left

  59. winfried has joined

  60. APach has joined

  61. pasdesushi has left

  62. pasdesushi has joined

  63. pasdesushi has left

  64. pasdesushi has joined

  65. pasdesushi has left

  66. lorddavidiii has left

  67. Alex has joined

  68. sonny has left

  69. sonny has joined

  70. papatutuwawa has left

  71. winfried has left

  72. winfried has joined

  73. DebXWoody has joined

  74. APach has left

  75. wladmis has left

  76. govanify has left

  77. govanify has joined

  78. Arne has joined

  79. sonny has left

  80. sonny has joined

  81. sonny has left

  82. sonny has joined

  83. sonny has left

  84. sonny has joined

  85. Guus

    Is wiki.xmpp.org dreadfully slow for anyone but me?

  86. APach has joined

  87. Guus


  88. Guus


  89. Ge0rG

    same here

  90. Ge0rG

    MattJ: are you in a position to look at it?

  91. MattJ

    No :D

  92. MattJ

    Stirring porridge with one hand, holding a baby in the other, not near my laptop

  93. Zash

    How are you typing ! ?

  94. Ge0rG

    "Ok, Google!"

  95. MattJ

    Sorry, just found the gap between being in a position to fix the wiki and my actual situation comically high

  96. Ge0rG

    MattJ: just don't drop the baby, right?

  97. papatutuwawa has joined

  98. emus has joined

  99. Guus

    or the porridge

  100. Ge0rG

    my priority would be baby > laptop > smartphone > porridge

  101. Guus

    We will take your suggestion under advisement.

  102. lorddavidiii has joined

  103. goffi has joined

  104. goffi has left

  105. APach has left

  106. APach has joined

  107. inky has left

  108. inky has joined

  109. goffi has joined

  110. lskdjf has joined

  111. jonas’

    MattJ, at least the house isn’t on fire :D

  112. Ge0rG

    everything is fine.

  113. inky has left

  114. inky has joined

  115. jonas’

    (totally made up combination of events which most definitely did not happen to anyone I know and they most definitely did not prioritize feeding the porridge over getting out of the house. luckily, and most definitely, the fire was small and nobody was harmed in this definitely made up situation)

  116. Al@cer has joined

  117. lorddavidiii has left

  118. pasdesushi has joined

  119. Al@cer has left

  120. Al@cer has joined

  121. lorddavidiii has joined

  122. pasdesushi has left

  123. pasdesushi has joined

  124. debacle has joined

  125. pasdesushi has left

  126. pasdesushi has joined

  127. mdosch has left

  128. mdosch has joined

  129. Andrzej has joined

  130. pasdesushi has left

  131. floretta has left

  132. Jonas S has joined

  133. winfried has left

  134. winfried has joined

  135. Jonas S has left

  136. nad287 has joined

  137. APach has left

  138. APach has joined

  139. Dele Olajide has joined

  140. miho has joined

  141. DebXWoody has left

  142. APach has left

  143. Shell has left

  144. APach has joined

  145. neshtaxmpp has joined

  146. Steve Kille has left

  147. miho has left

  148. Steve Kille has joined

  149. Dele Olajide has left

  150. Dele Olajide has joined

  151. DebXWoody has joined

  152. govanify has left

  153. govanify has joined

  154. govanify has left

  155. govanify has joined

  156. MattJ

    The wiki might be a bit more responsive now

  157. MattJ

    As far as I can tell it's being aggressively crawled by something

  158. MattJ

    Going into every "What links here" and diff pages, etc.

  159. MattJ

    So it's still slow

  160. dwd

    Do you also have an update on the porridge/baby situation?

  161. adiaholic has left

  162. adiaholic has joined

  163. MattJ

    The porridge was mostly successfully consumed, even if the messy high chair, table and floor didn't look like it when my wife came in. And now baby duty is successfully handed over. I'm ready to take on the easier part of my day now :)

  164. APach has left

  165. APach has joined

  166. vanitasvitae

    What happens if XEP-A is having a namespace bump, and XEP-B is depending on XEP-A? Is XEP-B required to bump its namespace as well?

  167. dwd

    Same rules apply. We bump namespaces if not doing so would otherwise cause aa interoperability problem.

  168. jonas’

    vanitasvitae, terror ensues

  169. jonas’

    see MIX

  170. jonas’

    where parts still use an old pam: namespace, which is confusing for implementations

  171. jonas’

    as they now have to support both namespaces for the specs-as-written

  172. vanitasvitae

    Okay, thanks

  173. pep. has left

  174. reedhhw has left

  175. flow

    vanitasvitae, ideally XEP-B would not simply depend on XEP-A but on (XEP-A, xep-a-namespace)

  176. edhelas has left

  177. Guus

    Thanks Matt. Good to know that the wiki isn't broken.

  178. Arne has left

  179. vanitasvitae

    flow: got it. In that case a bump would not be required for XEP-B? Only if XEP-B would be uodated to use XEP-A:++?

  180. edhelas has joined

  181. govanify has left

  182. govanify has joined

  183. Neustradamus has left

  184. Neustradamus has joined

  185. APach has left

  186. akkiko has joined

  187. jonas’

    vanitasvitae, see what I wrote. that’s a PITA for developers.

  188. jonas’

    there’s not much of a sane way out of that with the way we currently bump namespaces

  189. govanify has left

  190. govanify has joined

  191. Kev

    Namespaces should only be bumped if you can't interoperate under the existing namespace - almost always you can. We have bumped too often, I have little doubt.

  192. Ge0rG

    And in most cases you can accomplish the change with a new feature element

  193. Kev


  194. APach has joined

  195. Arne has joined

  196. adiaholic has left

  197. adiaholic has joined

  198. Al@cer has left

  199. Guus

    There are no circumstances where it would be allowable to use an intermediate as a trust anchor (meaning, not validating the issuer of the intermadiate) when validating a certificate chain, correct?

  200. Zash

    I think in DANE that's a thing

  201. Zash

    You could also cache known indermediates and so allow people to have broken setups.

  202. Ge0rG

    Guus: if the intermediate is in your trusted root set, it should be safe to abort further validation

  203. Guus

    My concern is that any revocation checks are thus bypassed.

  204. Guus

    which arguably is acceptable if the intermediate has been willingly placed in a 'trusted' root set, I suppose...

  205. Ge0rG

    well, CRLs don't work anyway.

  206. jonas’

    Guus, the intermediate could also have its own CRL, right?

  207. jonas’

    thinking about the Let’s Encrypt transition period where they had their "root" signed by another well-known CA to be trusted right away on all systems

  208. Guus

    jonas’ I'm thinking that the CRL as advocated by the intermediate is primarily used to verify certificates issued by it. Should one trust an intermediate-provided CRL to include the intermediate itself, if, for some reason, it should not be trusted anymore? That does not feel particularly safe.

  209. Zash

    Guus, are you working on a crypto library?

  210. Guus

    As in: an intermediate that goes malicious won't ever include itself in the CRL.

  211. Guus

    Zash no, I want to understand how these details are supposed to work.

  212. Zash

    It seems reasonable that the revocation methods listed in a CA cert applies to the certs it issues

  213. jonas’

    Guus, ah, I see; well, what Guus said then; if you have something in your trust store, you don’t check the CRL for it. It’s in your trust store after all.

  214. adiaholic has left

  215. adiaholic has joined

  216. jonas’

    s/Guus said/Ge0rG said/

  217. Guus

    I'm still not sure if that's correct. The entire reason for having CRL's is to be able to revoke an earlier decision to trust something.

  218. Guus

    What do you do when you have an intermediate as well as its issuer in your truststore, and the issuer adds the intermediate to its CRL?

  219. Guus

    Accept it, since it's in your truststore (which there should not be a need for, so I can understand the argument)

  220. Zash

    I suppose if you kept intermediates, you'd want to treat it as a RLU cache or somesuch, and then peridically check it against CRLs?

  221. akkiko has left

  222. Zash

    Isn't OCSP stamping(?) the thing now however? I.e. the server checks its own certificate and includes a "this is still valid" in TLS handshakes.

  223. govanify has left

  224. govanify has joined

  225. Zash

    With CRLs and OCSP being fail-open which is weird for a security thing.

  226. govanify has left

  227. govanify has joined

  228. flow

    vanitasvitae> flow: got it. In that case a bump would not be required for XEP-B? Only if XEP-B would be uodated to use XEP-A:++? Since there nothing has changed in XEP-B, no bump is required

  229. adiaholic has left

  230. Lance has joined

  231. Lance has left

  232. wladmis has joined

  233. Dele Olajide has left

  234. Dele Olajide has joined

  235. govanify has left

  236. govanify has joined

  237. govanify has left

  238. govanify has joined

  239. Dele Olajide has left

  240. Al@cer has joined

  241. Dele Olajide has joined

  242. Dele Olajide has left

  243. adiaholic has joined

  244. adiaholic has left

  245. adiaholic has joined

  246. dwd

    Zash, I believe that given an cert, there are extensions available to find, download, and then cache the signer, so you can keep going until you find a known TA or a self-signed cert.

  247. Dele Olajide has joined

  248. j.r has left

  249. Dele Olajide has left

  250. j.r has joined

  251. adiaholic has left

  252. adiaholic has joined

  253. dwd

    s/signer/issuer/ - I'm not thinking today. I think the AIA extension should help. http://pkiglobe.org/auth_info_access.html

  254. j.r has left

  255. j.r has joined

  256. deuill has left

  257. Andrzej has left

  258. adiaholic has left

  259. adiaholic has joined

  260. lorddavidiii has left

  261. dwd

    Zash, Also, you're thinking OCSP Stapling, and for XMPP servers, I think you fetch the CRL periodically, and use that as a fallback to OCSP (with or without stapling), and if you can't do CRL or OCSP then fail.

  262. dwd

    Zash, My theory here is that there are very few CRLs you actually need as a server, so you're very likely to have that, and an attack which causes OCSP to fail then has a very small window to work with.

  263. Zash

    100% Let's Encrypt probably.

  264. dwd

    Probably 5 or 6 different CRLs, though 99% LE, yes.

  265. moparisthebest

    emus: very good work on newsletter once again, it's much appreciated :)

  266. Andrzej has joined

  267. Guus

    what he said ^

  268. floretta has joined

  269. govanify has left

  270. govanify has joined

  271. govanify has left

  272. govanify has joined

  273. DebXWoody has left

  274. alex-a-soto has left

  275. alex-a-soto has joined

  276. adiaholic has left

  277. adiaholic has joined

  278. Al@cer has left

  279. Adi has joined

  280. govanify has left

  281. govanify has joined

  282. emus

    ❤ Thank you guys, very happy you like it!

  283. Adi has left

  284. Adi has joined

  285. jonas’

    Guus, ah, but CRLs are to revoke trust by the signer.

  286. jonas’

    while truststores are configured locally and have nothing to do with the signer

  287. jonas’

    (if it exists at all)

  288. jonas’

    so to revoke trust in a certificate from a trust store, you remove it from the trust store.

  289. edhelas has left

  290. Neustradamus has left

  291. Neustradamus has joined

  292. adiaholic has left

  293. adiaholic has joined

  294. flow

    hmm I was assuming that the CRLs override the trust from the truststore

  295. flow

    to check, the truststore is where your trusted root CAs certs are?

  296. pasdesushi has joined

  297. pasdesushi has left

  298. APach has left

  299. APach has joined

  300. Arne has left

  301. Arne has joined

  302. jonas’


  303. inky has left

  304. inky has joined

  305. Neustradamus has left

  306. Neustradamus has joined

  307. adiaholic has left

  308. adiaholic has joined

  309. APach has left

  310. APach has joined

  311. flow

    ahh ok, I think I figured out where I went wrong

  312. j.r has left

  313. j.r has joined

  314. APach has left

  315. APach has joined

  316. alex-a-soto has left

  317. alex-a-soto has joined

  318. govanify has left

  319. govanify has joined

  320. inky has left

  321. inky has joined

  322. DebXWoody has joined

  323. dwd

    flow, A CRL lists the signatures by an issuer that are no longer valid, in effect. An issuer *could* be a TA, but is more likely to be an intermediate cert.

  324. inky has left

  325. adiaholic has left

  326. inky has joined

  327. nyco has left

  328. Neustradamus has left

  329. Neustradamus has joined

  330. nyco has joined

  331. edhelas has joined

  332. govanify has left

  333. govanify has joined

  334. adiaholic has joined

  335. adiaholic has left

  336. adiaholic has joined

  337. inky has left

  338. Steve Kille has left

  339. edhelas has left

  340. Steve Kille has joined

  341. emus has left

  342. emus has joined

  343. lovetox has joined

  344. govanify has left

  345. govanify has joined

  346. Wojtek has joined

  347. winfried has left

  348. winfried has joined

  349. pasdesushi has joined

  350. winfried has left

  351. winfried has joined

  352. nad287 has left

  353. pasdesushi has left

  354. alex-a-soto has left

  355. lorddavidiii has joined

  356. alex-a-soto has joined

  357. miho has joined

  358. miho has left

  359. miho has joined

  360. Neustradamus has left

  361. Neustradamus has joined

  362. sonny has left

  363. sonny has joined

  364. Neustradamus has left

  365. miho has left

  366. nyco has left

  367. govanify has left

  368. govanify has joined

  369. sonny has left

  370. sonny has joined

  371. sonny has left

  372. sonny has joined

  373. Arne has left

  374. Arne has joined

  375. pasdesushi has joined

  376. pasdesushi has left

  377. pasdesushi has joined

  378. Neustradamus has joined

  379. pasdesushi has left

  380. pasdesushi has joined

  381. pasdesushi has left

  382. pasdesushi has joined

  383. pasdesushi has left

  384. pasdesushi has joined

  385. pasdesushi has left

  386. pasdesushi has joined

  387. adiaholic has left

  388. adiaholic has joined

  389. intosi has left

  390. lovetox has left

  391. miho has joined

  392. miho has left

  393. pasdesushi has left

  394. miho has joined

  395. miho has left

  396. edhelas has joined

  397. Nekit has left

  398. lorddavidiii has left

  399. calvin has joined

  400. nyco has joined

  401. sonny has left

  402. sonny has joined

  403. calvin has left

  404. calvin has joined

  405. Yagiza has left

  406. govanify has left

  407. govanify has joined

  408. lorddavidiii has joined

  409. calvin has left

  410. calvin has joined

  411. Calvin has joined

  412. ChronosX88 has left

  413. Calvin has left

  414. Calvin has joined

  415. intosi has joined

  416. pasdesushi has joined

  417. Calvin has left

  418. Calvin has joined

  419. calvin has left

  420. pasdesushi has left

  421. pasdesushi has joined

  422. Andrzej has left

  423. sonny has left

  424. sonny has joined

  425. pasdesushi has left

  426. pasdesushi has joined

  427. pasdesushi has left

  428. intosi has left

  429. nyco has left

  430. ChronosX88 has joined

  431. pasdesushi has joined

  432. nad287 has joined

  433. pasdesushi has left

  434. pasdesushi has joined

  435. inky has joined

  436. emus has left

  437. emus has joined

  438. pasdesushi has left

  439. pasdesushi has joined

  440. pasdesushi has left

  441. pasdesushi has joined

  442. serge90 has left

  443. edhelas has left

  444. edhelas has joined

  445. pasdesushi has left

  446. peetah has left

  447. peetah has joined

  448. intosi has joined

  449. Andrzej has joined

  450. pasdesushi has joined

  451. pasdesushi has left

  452. Andrzej has left

  453. Andrzej has joined

  454. nyco has joined

  455. winfried has left

  456. sonny has left

  457. sonny has joined

  458. winfried has joined

  459. sonny has left

  460. sonny has joined

  461. floretta has left

  462. Andrzej has left

  463. Andrzej has joined

  464. intosi has left

  465. nad287 has left

  466. edhelas has left

  467. nyco has left

  468. Arne has left

  469. nyco has joined

  470. Wojtek has left

  471. lorddavidiii has left

  472. nyco has left

  473. nyco has joined

  474. Nekit has joined

  475. nyco has left

  476. Arne has joined

  477. edhelas has joined

  478. Wojtek has joined

  479. intosi has joined

  480. lorddavidiii has joined

  481. goffi has left

  482. Lance has joined

  483. Lance has left

  484. lorddavidiii has left

  485. adiaholic has left

  486. Andrzej has left

  487. intosi has left

  488. govanify has left

  489. govanify has joined

  490. Andrzej has joined

  491. intosi has joined

  492. floretta has joined

  493. inky has left

  494. Andrzej has left

  495. Andrzej has joined

  496. intosi has left

  497. intosi has joined

  498. lorddavidiii has joined

  499. ChronosX88 has left

  500. ChronosX88 has joined

  501. inky has joined

  502. arc has joined

  503. Arne has left

  504. Mikaela has left

  505. intosi has left

  506. winfried has left

  507. winfried has joined

  508. nyco has joined

  509. alex-a-soto has left

  510. alex-a-soto has joined

  511. nyco has left

  512. j.r has left

  513. DebXWoody has left

  514. nyco has joined

  515. Arne has joined

  516. Andrzej has left

  517. winfried has left

  518. winfried has joined

  519. lovetox has joined

  520. j.r has joined

  521. alex-a-soto has left

  522. alex-a-soto has joined

  523. intosi has joined

  524. alex-a-soto has left

  525. alex-a-soto has joined

  526. floretta has left

  527. alex-a-soto has left

  528. alex-a-soto has joined

  529. Andrzej has joined

  530. alex-a-soto has left

  531. jcbrand has left

  532. andrey.g has joined

  533. Andrzej has left

  534. Andrzej has joined

  535. Tobias has left

  536. LNJ has left

  537. akkiko has joined

  538. akkiko has left

  539. intosi has left

  540. j.r has left

  541. lovetox has left

  542. Shell has joined

  543. neshtaxmpp has left

  544. pasdesushi has joined

  545. pasdesushi has left

  546. pasdesushi has joined

  547. pasdesushi has left

  548. pasdesushi has joined

  549. winfried has left

  550. winfried has joined

  551. pasdesushi has left

  552. Andrzej has left

  553. Andrzej has joined

  554. floretta has joined

  555. miho has joined

  556. miho has left

  557. j.r has joined

  558. nyco has left

  559. pasdesushi has joined

  560. pasdesushi has left

  561. pasdesushi has joined

  562. pasdesushi has left

  563. pasdesushi has joined

  564. nyco has joined

  565. intosi has joined

  566. pasdesushi has left

  567. demonstration has joined

  568. demonstration has left

  569. ChronosX88 has left

  570. pasdesushi has joined

  571. miho has joined

  572. miho has left

  573. Andrzej has left

  574. Andrzej has joined

  575. disgyze has joined

  576. debacle has left

  577. debacle has joined

  578. intosi has left

  579. pasdesushi has left

  580. pasdesushi has joined

  581. debacle has left

  582. pasdesushi has left