XSF Discussion - 2022-01-17

  1. qwestion

    > wurstsalat: i feel like it'll snowball and i'll end up spending way more time and effort than i intend. That's normally how nontrivial PRs go for me and it's kinda put me off them...

  2. qwestion

    Pastrbin it qy

  3. qwestion

    Pastebin it? qy

  4. qy

    qwestion: http://ipfs.io/ipfs/QmXGv1p2aLkYG8qQTwQwhowwhiVwNHo2nvju69o5vksoeT

  5. qwestion

    qy: nice does it work/view better w an ipfs browser like Thor?

  6. qy

    ㄟ(ツ)ㄏ you tell me

  7. qwestion

    qy: first time I c ipfs used as paste, is it common now? On xmpp else where?

  8. emus

    is there actually a board email to reach out?

  9. jonas’

    emus, board@xmpp.org

  10. emus

    it should be placed on the website I think

  11. emus

    thanks

  12. jonas’

    emus, info@xmpp.org

  13. jonas’

    https://xmpp.org/contact/ which actually is on the website

  14. jonas’

    I think at least that info@ is read by board

  15. emus

    jonas’: but I was looking for this where is it linked?

  16. emus

    ah at the very bottom

  17. emus

    hmmm, I wonder if we should place that better

  18. dwd

    rion, Also RFC 6125 goes into all of that DNS/DNSSEC/X.509/etc stuff in more detail, but with fewer fairies and wizards and stuff.

  19. rion

    I'm still trying to figure out. Assuming xmpp is somehow balanced via srv records. Each host behind srv has a host name and all of them are covered by wildcard certificate. Does it mean I need two certificates? Like wildcard + for base domain. Or its better to not use certs for particular hosts at all. Like to use just base certificate for every host and check just it. In other words ignore the fact the returned certificate doesn't match particular host name but rather matches only to xmpp domain.

  20. jonas’

    rion, you need a certificate only for the domain behind the @ in XMPP adresses

  21. jonas’

    the host names inside the SRV records do not matter at all

  22. rion

    Ok. Thsnks

  23. dwd

    rion, All clients (and servers) will validate the XMPP domain name is in the certificate, so this is the best option. Some will also validate the hostname, but only if the SRV record was DNSSEC-signed. Some might also validate the IP Address, but again only if the A/AAAA record was signed.

  24. dwd

    rion, We want DNSSEC and hostname verification supported in clients (and servers) because it makes mass-hosting of many domains much much simpler, and results in less sharing of cryptographic material across administrative domain boundaries.

  25. rion

    dwd: thanks. Though could you elaborate about "much simpler"?

  26. dwd

    If you have one (clustered) server hosting, say, 1000 domains, and you add one, currently (for interop) you need to replace the certificate on the service to include the new domain (or add a new certificate). The certificate then allows the XMPP provider to spoof the customer's website, which is "not ideal". But if the new domain has a DNSSEC SRV record, and the certificate has the hostname(s), then you don't need to do anything.

  27. flow

    allright, which one here owns xmpp.sexy? :)

  28. edhelas

    flow depends, what do you want to do with it 😏 ?

  29. flow

    same as rms.sexy, just with current council members maybe? :)

  30. edhelas

    so much sexy thinkpads on that one

  31. emus

    lol that domain^^