-
qwestion
> wurstsalat: i feel like it'll snowball and i'll end up spending way more time and effort than i intend. That's normally how nontrivial PRs go for me and it's kinda put me off them...
-
qwestion
Pastrbin it qy✎ -
qwestion
Pastebin it? qy ✏
-
qy
qwestion: http://ipfs.io/ipfs/QmXGv1p2aLkYG8qQTwQwhowwhiVwNHo2nvju69o5vksoeT
-
qwestion
qy: nice does it work/view better w an ipfs browser like Thor?
-
qy
ㄟ(ツ)ㄏ you tell me
-
qwestion
qy: first time I c ipfs used as paste, is it common now? On xmpp else where?
-
emus
is there actually a board email to reach out?
-
jonas’
emus, board@xmpp.org✎ -
emus
it should be placed on the website I think
-
emus
thanks
-
jonas’
emus, info@xmpp.org ✏
-
jonas’
https://xmpp.org/contact/ which actually is on the website
-
jonas’
I think at least that info@ is read by board
-
emus
jonas’: but I was looking for this where is it linked?
-
emus
ah at the very bottom
-
emus
hmmm, I wonder if we should place that better
-
dwd
rion, Also RFC 6125 goes into all of that DNS/DNSSEC/X.509/etc stuff in more detail, but with fewer fairies and wizards and stuff.
-
rion
I'm still trying to figure out. Assuming xmpp is somehow balanced via srv records. Each host behind srv has a host name and all of them are covered by wildcard certificate. Does it mean I need two certificates? Like wildcard + for base domain. Or its better to not use certs for particular hosts at all. Like to use just base certificate for every host and check just it. In other words ignore the fact the returned certificate doesn't match particular host name but rather matches only to xmpp domain.
-
jonas’
rion, you need a certificate only for the domain behind the @ in XMPP adresses
-
jonas’
the host names inside the SRV records do not matter at all
-
rion
Ok. Thsnks
-
dwd
rion, All clients (and servers) will validate the XMPP domain name is in the certificate, so this is the best option. Some will also validate the hostname, but only if the SRV record was DNSSEC-signed. Some might also validate the IP Address, but again only if the A/AAAA record was signed.
-
dwd
rion, We want DNSSEC and hostname verification supported in clients (and servers) because it makes mass-hosting of many domains much much simpler, and results in less sharing of cryptographic material across administrative domain boundaries.
-
rion
dwd: thanks. Though could you elaborate about "much simpler"?
-
dwd
If you have one (clustered) server hosting, say, 1000 domains, and you add one, currently (for interop) you need to replace the certificate on the service to include the new domain (or add a new certificate). The certificate then allows the XMPP provider to spoof the customer's website, which is "not ideal". But if the new domain has a DNSSEC SRV record, and the certificate has the hostname(s), then you don't need to do anything.
-
flow
allright, which one here owns xmpp.sexy? :)
-
edhelas
flow depends, what do you want to do with it 😏 ?
-
flow
same as rms.sexy, just with current council members maybe? :)
-
edhelas
so much sexy thinkpads on that one
-
emus
lol that domain^^