XSF Discussion - 2022-01-31

Were the XEPs for video calls and conferencing developed in collaboration with the jitsi folks? ✏

Good morning everyone. I finally have the first draft for the central article done and would love if people could look and see if they find anything that's wrong. I put a render of it at https://docs.phryk.net/x/X%20as%20in%20Freedom.html – the sections "Free & Open standard" and "eXtensibility" especially contains things that people here know better where I'm not sure.

And with that, I'm off to sleep.^^

SVGs might look slightly less fancy because I haven't converted texts to paths yet.

phryk: > Were the XEPs for video calls and conferencing developed in collaboration with the jitsi folks? Jitsi does their own thing.

"Interop via embedding our iframe" - jitsi

phryk: I'm no native but isn't "dissident" pejorative? I'd use activist instead probably

moparisthebest exactly :D

phryk: > OTR only works for direct messaging – i.e. not for chatrooms, file transfers or calls. > ::: > OpenPGP works for direct messaging as well as chatrooms, but not for file transfers or calls. It's worth reminding the context of these statements: > OTR/PGP _in XMPP, in practice_ only work for ... There's no technical reason for being unable to encrypt files or verify caller identity with those

And... I'm not sure there's a spec for pgp muc, is there?

pep.: I'm no native either, but pretty sure it's not. It only means 'one who disagrees'

mjk: yeah that's also what I found as a definition. Somebody in opposition to.. I'd still prefer something more positive :)

Well, at least 'activist' is not equivalent, one can disagree passively :D

It's already depressing enough to see how #&%£@ stuff around us is, it's nice when words don't add another layer :)

I don't disagree :))

phryk: also I'm not that set on p2p being the bestest. It's all about that model. p2p often leaks metadata you'd rather keep for yourself.

You might think that p2p means "there are no servers". This isn't accurate. Instead, everyone is a server.

Yeah

It's all about threat model*

Zash maybe we should do p2p over blockchain with e2ee to solve the issue

Just for a somewhat native speaker's perspective just on the English side - 'dissident' does have overtones, yes.

!slap edhelas

Zash too bad for you, you'll not be part of the next multi-billion $ startup

I don't wanna!

phryk: re anonymity I find it weird that you discard using pseudonymity to then use "true anonymity" to talk about anonymity.

I'm curious about the expected reader of this article. I still find it too technical. Also, reality is not as rainbow and flowers as the article describes it. But I haven't finished reading and I'll come back to it later actually. It's good that this topic is brought up though :)

> The body governing XMPP is the [XSF] phryk, governing is a strong word, maybe something more alongside the lines of stewardship? The XSF only defines a process to publish specs that gravitate around XMPP. Nothing prevents another entity to start publishing specs on XMPP (and some already do).

_That_ is the true extensibility

I also find the title "Free & Open standard" deceitful. To me it relates to "Free & Open source", but in the first paragraph you say free as in free beer

And I'm yet to see a definition for open standard. Just sounds like another word that means everything and its opposite

(Same in FOSS tbh)

How about this one: https://www.itu.int/en/ITU-T/ipr/Pages/open.aspx

The usual reminder that it's "Tor" not "TOR" applies

The backronym came later and only applies to a specific part of the project.

ToR

#NotTheOnionRouter

Taking about Tor, I felt like it was name-dropped in the article. Not really explained why it's needed

Also I'm not sure I'd attribute a phrase such as direct democracy to the XSF :/

The article, still

phryk: maybe you want feedback in another form? I feel like there's a lot more to say, details etc.

phryk: also pgp does allow for encrypted file sharing

Okay, thanks a bunch for the feedback; reading from top to bottom (and technically supposed to be in a meeting, but boss doesn't reply): * "dissident" was chosen over "activist" for associated connotations in leftist/anarchist spaces where "activists" are often perceived to care primarily about "optics". * mjk, XEP 373 ("OX") intro states "Therefore this XEP can be used for example to implement end-to-end encrypted Multi-User Chat" – i just assumed that means usually implementations support it? * pep, I actively said P2P wasn't the "bestest" and that other factors overruled its theoretically better resilience features. this isn't clear from the current wording? * Zash, IIRC the agreed-upon terminology is that P2P neither has clients nor servers, but only peers. I mean you could've also called them sients or clervers, but that would only add to the confusion :P pep: * in a previous version of the identity compartmentalization section, i was being all anal about pseudonymity being the right term, but that doesn't reflect everyday use by normal people, so I changed it to confuse non-techies less. * I agree that it isn't "there yet" in terms of being readily digestible for non-techies. any hints on what things still need explaining would be welcome. * I think free & open are at least as well defined as most things in everyday speech – language is a mess and there's no real way around that, especially if you don't want to end up with an academic text so dry it'll make you shrivel up reading it. * non-members being able to hand in proposals is indeed a *very* good and relevant point. * good point about tor not being explained. * the direct democracy bit is supposed to refer to people being able to dictate what parts of the whole spec (as in core + extensions) is "active" or "alive" simply through their usage. this point is about community influence, not about XSF members. * moparisthebest, source plox – XEPs say no. ✏

The part on jitsi is slightly weird. Jitsi publishing a first version of their spec at the XSF, that later was extended and changes not pushed back into the spec. But it's not "because" some of it isn't specified that it's not usable with "normal" XMPP clients (what is normal here, "A/V" wasn't part of normal in most clients until recently). Clients could very well implement unspecified, or non-standard, or non-XSF-standard behaviour, such as Jitsi-meet's, if they wanted.

phryk, the point is that having clear roles and responsibilities is nice. I know which servers see the metadata of any message I send. Harder to say in dht p2p things.

And "clients have integrated audio and video calls with OMEMO encryption", nit as well, but (please correct me if I'm wrong), call transport isn't exactly encrypted with OMEMO, it's only that some things are verified as part of initializing the transport(?)

(with OMEMO)

You can say the same about "TLS encryption".

hmm possible, yes

Probably not very useful outside of detailed crypto system design discussions to make that kind of distinction.

Would you say OpenPGP encrypted calls though if it replaced OMEMO?

phryk: send a file with Conversations and pgp turned on, you'll notice it http uploads a .pgp file

I guess one would.. for marketing purposes probably :/

istr monkeysphere, even though it's slightly different

pep., "say" or "through" supposed to be a different word? because i can't parse that sentence…

which one

"Would you say OpenPGP encrypted calls though if it replaced OMEMO?"

remove "though" and it still works

And you can quote "OpenPGP encrypted calls"

Ah, I'd probably say "PGP encrypted calls" in that case.

Are the messages "encrypted with OMEMO" ? No, it's likely AES or somesuch cipher

Zash, that's actually a good point, I can substitute "encrypted" with "secured" in a lot of places and make things more understandable for non-techies…

Zash, sure. I get why we say OMEMO-encrypted messages, just like we say PGP-encrypted messages. But when people say for example "OMEMO encrypted files" it feels weird. ✏

As you'd use a very similar way (if not the exact same) to share file with PGP

It doesn't seem worth distinguishing between OMEMO for key exchange or OMEMO encrypting the actual data in a thing for users who won't even care what OMEMO is ¯\_(ツ)_/¯

Exactly? I would just use "encrypted"

Encrypted with 🦄️🎉️

Anyway, I did say it was a nit. Please ignore, that's far from the most important comment in the article

I meant "OMEMO-encrypted files" or "PGP-encrypted files" or whatever seems fine, even if it's actually only encrypting an AES key under the hood and that is being used to encrypt the actual data.

But I don't know the exact context; I'm just assuming it's something where you actually want to distinguish between "OMEMO is being used or PGP is being used" but don't care exactly how it's used.

"* non-members being able to hand in proposals is indeed a *very* good and relevant point." I think you misunderstood my comment? phryk

How pedantic do we wanna be today? 😀

very, obviously

pep., okay, wanna elaborate on that?^^

also boss just appeared, so I'm kind of in a meeting now^^

That was the one on the XSF "governing" XMPP right? I was saying it's not (governing XMPP).

*a wild boss appears*

Grab your shield and sword, quick

The XSF is governing the XEP series, if anything.

*boss casts meeting*

aaaaahhhrrg, they got me

The wider XMPP ecosystem ... I mean we can _try_ but it's like herding cats.

Yeah no thanks. I don't think the XSF is legitimate to "govern" the wider ecosystem. It's definitely not to me as it stands

pep., *It's dangerous to go alone! Take this.* ... *uh wtf is this?* *an XML library of course* ... *oh no*

*I'd rather use my **JSON LIBRARY** haha!!*

"It's very effective"

pep., no, that was about collaboration being open through membership and you pointing out that membership isn't actually required. :)

I don't remember saying that, but good

pep., and 9 months later https://xmpp.org/extensions/xep-0432.html was born

might've been zash :P

membership is mostly a legal thing for organizational reasons

Zash, aaarrrhhhggg, that thing turned against me!

phryk, my general feeling is that it's pretty thick for actualy activists. The circles I'm in are not very technical and I'm sure this wouldn't be understood

(Also some don't speak english, but a translation might help here)

In general I go with the practical things, "XMPP doesn't require a phone number", "There's a number of public servers you can use to blend in the masses", "there's not central entity" (analogy to the government we want to overthrow :))

And of course use Tor, etc.

> analogy to the government we want to overthrow I guess that pulls in more people besides drug and weapon dealers we actually dont want. but yes, its good to not have a central instance

I don't understand your first sentence

I just wanted to state that such analogies raises interest to radical people I assume few people want to encourage within their networks. Even so independent infrastructure is a thing

Who doesn't want to get rid of capitalism and the injustice that goes with it? :)

offtopic

Sure that's a great way to cut a discussion short, but fine :)

I'm not sure where you discussed the reasons for this article if even just this is offtopic

I dont see why I should discuss radical politics here now

I think it's fair to say that discussions of political views and statements like "who doesn't X?" (when some people clearly do not) are off-topic here. I assume the article was posted primarily because the author is seeking review about the XMPP parts from people with XMPP experience, and this is probably the most likely place to find them. And the majority of feedback on the article has been about technical rather than political aspects, which I imagine was the intention.

I can't assume everyone here is of the same political opinions, and I really don't want to spend time moderating political discussions

(I doubt everyone here is of the same political opinions..)

Certainly

s/everyone here/any two people/

Ah I misread, I first thought you said everyone was :P

If only :)

fwiw, there's more politics that happens in here than you think :)

pep., what is the use in that statement?

Answering the "I don't want to spend time moderating political discussions"

well if more politics is happening here than $someone thinks, it doesn't seem to require moderation *so far*. I think the statement from MattJ was meant as a foreshadowing(?), if things go farther than they have.

It doesn't need to because it's probably opinions the majority has (which often passes as "non-political" ..)

Definitively, and thats good (differnet polt. views). But my gut feeling told me that if we just continue for 5 mins with this we are back to useless root discussion of how we can force people into some poltical direction with XMPP tech. I doubt thats what we are here for in the end nor have any resources. Let`s propagate the protocol and their applications in a way most people would understand and see it as useful (with the few resources we have).

pep., see, excellent.

..

Dismissing different opinions 101

XMPP is a tool, like a hammer, that can be used for good or evil, regardless of what you consider good or evil :)

XMPP greatest accomplishment is to trick the majority into believing they would benefit from it

Playing XMPP's advocate eh?

moparisthebest, your tool enables TLS, why? It also speaks unicode, why not just ascii? Why is federation even an option? That's what your tool that has totally nothing to do with politics (/s) does :)

pep., let's cut it here.

I agree unicode was a mistake

a hammer is also a poor tool for driving in screws

We should have just chosen a charset that can encode the 29 letters of the alphabet in one byte each, numbers, some punctuation and been done with it ;)

but I want to write Fußball!

Heizölrückstoßabdämpfung :-)

räksmörgås?

see? no use-case at all for nonsense words like these in chat... /s

🙀

phryk: > XEP 373 ("OX") intro states "Therefore this XEP can be used for example to implement end-to-end encrypted Multi-User Chat" – i just assumed that means usually implementations support it? Errr, _are_ there implementations of OX? Much less OX MUC? Genuine question, but I have my doubts. I humbly opine that the article should mostly talk about actual impl status rather than theoretically possible implementations :)

Profanity in some state?

Nebraska?

:sensible_chuckle:

mjk, I honestly have no idea. Lemme look if I can find which XEP Conversations implements for PGP…

phryk, it's not OX, it's https://xmpp.org/extensions/xep-0027.html

no signing, no replay prevention etc etc

According to my DOAP table builder thingie, Conversations, Dino and Gajim support XEP-0027 and Gajim additionally implements XEP-373.

if you are a dissident who the govt is after you might not want signing

moparisthebest, So XEP-0027 messages can be forged?

anyone can encrypt to a key if that's what you mean

Ye, that's why I spelled the identity assurance part explicitly out in the article.

Replayed rather

the authenticity just comes from normal xmpp guarantees (so if you have an evil server operator, those are out the window)

Well if a login is compromised but the pgp key isn't, the attacker with the login can forge messages that for the recipient are indiscernable from messages by the actual holder of the pgp key, right? ✏

you don't need or use a pgp key to send a xep-0027 message

Yes, that's kind of the cause. You just need the recipients pubkey.

yes

Just want to make sure I understand correctly. :)

> Gajim Right, I remembered something like that. Interestingly, I don't hear people talking about actually using it, even just testing. Weird

Well, the only "advantage" it really has to OMEMO is that you can have something approaching legally binding proof of identity, right? Don't see many people having a use-case for that.

If municipalities used XMPP for bureaucracy I could see a strong use-case, but not in the current environment.

>? Don't see many people having a use-case for that. Makes sense ✏

mjk, your edit just gave me an *awful* idea.

having a bot do a marquee on their last message through continuous edits.

That's an actual thing...

This already exists? D:

Not sure if I should be sad or relieved…^^

Don't remember whether in profanity or poezio

Btw, does OX not provide the convenience of having the entire history encrypted with one key?

I would think so, but honestly haven't read the specs. :P

I mean, at least for devices on which you use the same key.

But I also assume that you could migrate OMEMO keypairs between devices and have the same result. Just haven't seen clients offering that as a feature.

phryk, yea implementing <marquee> with last message edit was already done, Link Mauve iirc ?

you can't migrate OMEMO keypairs actually

you can't use the same ones on 2 different devices that is

And here I was, thinking I'd be doing something unspeakably offensive by implementing that. ^^

moparisthebest, how come?

one of the properties of OMEMO is you can only decrypt messages once

I think its about the rotating keys after use. Pfs

Ah, nice to know, thanks for explaining.

Technically, you could probably clone omemo state and receive messages on all clones successfully, but the moment you try to send something, the ratchets go out of sync

mjk, the marquee thing is from a poezio plugin -I wrote it, don’t hit me-

mathieui: it's not abuse if it's for fun!

allowed us to find a some bugs in correction code, though (between unbounded message correction depth which leads to leaks, and recursion that goes further than the python limits and crashes)

Noice