-
Andrzej
Link Mauve, I do not recall doing anything on the server around that time
-
Andrzej
but I might have an idea what is going on, thank you for reporting that
-
Link Mauve
No worries, it just popped up in poezio and I thought you’d be interested. :)
-
moparisthebest
How would people feel if instead of migrating to srv2 we just crammed everything in host-meta over https ?
-
moparisthebest
Everything as in starttls, direct TLS, quic, posh replacement pinning keys instead of certs etc
-
Link Mauve
moparisthebest, and require an entire HTTP stack just for connecting?
-
Link Mauve
Nothanks.
-
moparisthebest
Link Mauve: you already need a whole http stack
-
moparisthebest
Also I've given up hope in dnssec
-
Link Mauve
You don’t.
-
Link Mauve
I have written many clients and some servers without doing a single HTTP request.
-
Link Mauve
General-purpose clients will need that for HTTP File Upload, but that’s kind of the only one?
-
moparisthebest
Link Mauve: so how do you handle secure delegation for hosted XMPP without an http client for posh or widespread dnssec?
-
Link Mauve
How many clients do POSH?
-
Link Mauve
Last time I tried, it wasn’t worth it using for our hosted service.
-
flow
moparisthebest, I think one reason, if not the main reason, that DNSSEC did no see wide adoption in the last decade is that it does not provide much to closed-silo networks: if you control all clients and all servers, then you probably just pin the TLS certs (and maybe even the IPs)
-
moparisthebest
Link Mauve: right, it's not widely supported, and that's a problem
-
Link Mauve
So instead we recommend our users to use a CNAME delegation, it creates worse-looking JIDs but that’s the safest way.
-
moparisthebest
We can kill 8 birds with 1 https request here
-
Zash
Noooooooooooooooooooooooooooooooooooooooooooo
-
moparisthebest
flow: right I'm concerned with the open federated network
-
moparisthebest
Link Mauve: cname delegation is a hack that doesn't work for most of the names people want
-
Link Mauve
Do people care?
-
Link Mauve
Our users don’t seem to at least.
-
moparisthebest
I couldn't move my names to a hosted service for instance
-
moparisthebest
If they did do they have a choice?
-
Link Mauve
You could, by providing us your certificates.
-
moparisthebest
You have an automated way to send you certificates every 60 days?
-
Link Mauve
They do have a choice, it’s only the automated setup which requires a CNAME, you can contact us for anything more specialised.
-
Link Mauve
It’d be a ssh away if anyone requested that.
-
Link Mauve
So far, none of our ~70 domain owners did.
-
flow
moparisthebest, personally, I am not willing to give up on DNSSEC, as I think it becomes more and more available. People just overestimated how fast it would be deployed and "replace" the existing status quo. That appears to be an pattern that repeats again and again in tech
-
moparisthebest
I'm not interested in XMPP for the status quo 20 years ago, I'm interested in XMPP for the real world of today
-
Link Mauve
Same.
-
moparisthebest
Today, when all certs are renewed every 60 days and you can't count on dnssec
-
moparisthebest
I think that paints us into a corner of using https for secure delegation
-
moparisthebest
But happy to have other alternatives
-
Zash
flow, did you say IPv6?
-
Link Mauve
moparisthebest, do you want to suddenly make all of our users unable to delegate to us, unless they change their DNS configuration? :)
-
flow
Zash, yep, another example was when the EU (or was it just germany?) tried to replace FM radio in cars with DAB ~10-15 years ago
-
moparisthebest
Link Mauve: why wouldn't that continue to work? But they could also let you host XMPP for their top level domain while still running their own https/email etc
-
Link Mauve
moparisthebest, and have to migrate their JID?
-
moparisthebest
Why would anyone have to change anything?
-
Link Mauve
Some of our users don’t even host an HTTP server.
-
moparisthebest
It opens it up to doing this with top level domains that is not available now
-
Link Mauve
Not on the apex nor anywhere else.
-
moparisthebest
Right, all that continues to work...
-
Link Mauve
With your solution, they would have to do so.
-
moparisthebest
No, you would, your the XMPP host✎ -
moparisthebest
No, you would, you're the XMPP host ✏
-
moparisthebest
It's not like srv would cease working...
-
moparisthebest
Tldr we need a way to advertise quic, we need a way to pin keys, we need secure delegation
-
moparisthebest
We can add another srv/srv2 record, and a replacement for posh, and end up with 4 https requests and 3 srv lookups for connection
-
moparisthebest
Or, we can decide existing host-meta is the way forward for new things and extend it
-
moparisthebest
Extending host-meta seems like the clear winner to me?
-
flow
maybe, does one exclude the other?
-
flow
I'd treat is as everything tech related, experiment with it, and see how it works out
-
Zash
Nooooooo, it'll catch on and then we're stuck with it forever
-
flow
ha, being stuck with a kindaish works thingy forever, even though better things are available, is also a repeating pattern: xep27 anyone? or old-omemo?
-
flow
but you can't stop people from "experimenting" with stuff, and if it gets momentum and adoption, than it basically can't bet stopped (and also, why would you, if it remedies an itch ppl have?)
-
moparisthebest
Well you really don't want both or everyone is stuck doing all the things forever
-
moparisthebest
But yea I'll probably experiment, that's what xmpp-proxy was built for