XSF Discussion - 2022-02-12

  1. Andrzej

    Link Mauve, I do not recall doing anything on the server around that time

  2. Andrzej

    but I might have an idea what is going on, thank you for reporting that

  3. Link Mauve

    No worries, it just popped up in poezio and I thought you’d be interested. :)

  4. moparisthebest

    How would people feel if instead of migrating to srv2 we just crammed everything in host-meta over https ?

  5. moparisthebest

    Everything as in starttls, direct TLS, quic, posh replacement pinning keys instead of certs etc

  6. Link Mauve

    moparisthebest, and require an entire HTTP stack just for connecting?

  7. Link Mauve

    Nothanks.

  8. moparisthebest

    Link Mauve: you already need a whole http stack

  9. moparisthebest

    Also I've given up hope in dnssec

  10. Link Mauve

    You don’t.

  11. Link Mauve

    I have written many clients and some servers without doing a single HTTP request.

  12. Link Mauve

    General-purpose clients will need that for HTTP File Upload, but that’s kind of the only one?

  13. moparisthebest

    Link Mauve: so how do you handle secure delegation for hosted XMPP without an http client for posh or widespread dnssec?

  14. Link Mauve

    How many clients do POSH?

  15. Link Mauve

    Last time I tried, it wasn’t worth it using for our hosted service.

  16. flow

    moparisthebest, I think one reason, if not the main reason, that DNSSEC did no see wide adoption in the last decade is that it does not provide much to closed-silo networks: if you control all clients and all servers, then you probably just pin the TLS certs (and maybe even the IPs)

  17. moparisthebest

    Link Mauve: right, it's not widely supported, and that's a problem

  18. Link Mauve

    So instead we recommend our users to use a CNAME delegation, it creates worse-looking JIDs but that’s the safest way.

  19. moparisthebest

    We can kill 8 birds with 1 https request here

  20. Zash

    Noooooooooooooooooooooooooooooooooooooooooooo

  21. moparisthebest

    flow: right I'm concerned with the open federated network

  22. moparisthebest

    Link Mauve: cname delegation is a hack that doesn't work for most of the names people want

  23. Link Mauve

    Do people care?

  24. Link Mauve

    Our users don’t seem to at least.

  25. moparisthebest

    I couldn't move my names to a hosted service for instance

  26. moparisthebest

    If they did do they have a choice?

  27. Link Mauve

    You could, by providing us your certificates.

  28. moparisthebest

    You have an automated way to send you certificates every 60 days?

  29. Link Mauve

    They do have a choice, it’s only the automated setup which requires a CNAME, you can contact us for anything more specialised.

  30. Link Mauve

    It’d be a ssh away if anyone requested that.

  31. Link Mauve

    So far, none of our ~70 domain owners did.

  32. flow

    moparisthebest, personally, I am not willing to give up on DNSSEC, as I think it becomes more and more available. People just overestimated how fast it would be deployed and "replace" the existing status quo. That appears to be an pattern that repeats again and again in tech

  33. moparisthebest

    I'm not interested in XMPP for the status quo 20 years ago, I'm interested in XMPP for the real world of today

  34. Link Mauve

    Same.

  35. moparisthebest

    Today, when all certs are renewed every 60 days and you can't count on dnssec

  36. moparisthebest

    I think that paints us into a corner of using https for secure delegation

  37. moparisthebest

    But happy to have other alternatives

  38. Zash

    flow, did you say IPv6?

  39. Link Mauve

    moparisthebest, do you want to suddenly make all of our users unable to delegate to us, unless they change their DNS configuration? :)

  40. flow

    Zash, yep, another example was when the EU (or was it just germany?) tried to replace FM radio in cars with DAB ~10-15 years ago

  41. moparisthebest

    Link Mauve: why wouldn't that continue to work? But they could also let you host XMPP for their top level domain while still running their own https/email etc

  42. Link Mauve

    moparisthebest, and have to migrate their JID?

  43. moparisthebest

    Why would anyone have to change anything?

  44. Link Mauve

    Some of our users don’t even host an HTTP server.

  45. moparisthebest

    It opens it up to doing this with top level domains that is not available now

  46. Link Mauve

    Not on the apex nor anywhere else.

  47. moparisthebest

    Right, all that continues to work...

  48. Link Mauve

    With your solution, they would have to do so.

  49. moparisthebest

    No, you would, your the XMPP host

  50. moparisthebest

    No, you would, you're the XMPP host

  51. moparisthebest

    It's not like srv would cease working...

  52. moparisthebest

    Tldr we need a way to advertise quic, we need a way to pin keys, we need secure delegation

  53. moparisthebest

    We can add another srv/srv2 record, and a replacement for posh, and end up with 4 https requests and 3 srv lookups for connection

  54. moparisthebest

    Or, we can decide existing host-meta is the way forward for new things and extend it

  55. moparisthebest

    Extending host-meta seems like the clear winner to me?

  56. flow

    maybe, does one exclude the other?

  57. flow

    I'd treat is as everything tech related, experiment with it, and see how it works out

  58. Zash

    Nooooooo, it'll catch on and then we're stuck with it forever

  59. flow

    ha, being stuck with a kindaish works thingy forever, even though better things are available, is also a repeating pattern: xep27 anyone? or old-omemo?

  60. flow

    but you can't stop people from "experimenting" with stuff, and if it gets momentum and adoption, than it basically can't bet stopped (and also, why would you, if it remedies an itch ppl have?)

  61. moparisthebest

    Well you really don't want both or everyone is stuck doing all the things forever

  62. moparisthebest

    But yea I'll probably experiment, that's what xmpp-proxy was built for