XSF Discussion - 2022-02-12

Link Mauve, I do not recall doing anything on the server around that time

but I might have an idea what is going on, thank you for reporting that

No worries, it just popped up in poezio and I thought you’d be interested. :)

How would people feel if instead of migrating to srv2 we just crammed everything in host-meta over https ?

Everything as in starttls, direct TLS, quic, posh replacement pinning keys instead of certs etc

moparisthebest, and require an entire HTTP stack just for connecting?

Nothanks.

Link Mauve: you already need a whole http stack

Also I've given up hope in dnssec

You don’t.

I have written many clients and some servers without doing a single HTTP request.

General-purpose clients will need that for HTTP File Upload, but that’s kind of the only one?

Link Mauve: so how do you handle secure delegation for hosted XMPP without an http client for posh or widespread dnssec?

How many clients do POSH?

Last time I tried, it wasn’t worth it using for our hosted service.

moparisthebest, I think one reason, if not the main reason, that DNSSEC did no see wide adoption in the last decade is that it does not provide much to closed-silo networks: if you control all clients and all servers, then you probably just pin the TLS certs (and maybe even the IPs)

Link Mauve: right, it's not widely supported, and that's a problem

So instead we recommend our users to use a CNAME delegation, it creates worse-looking JIDs but that’s the safest way.

We can kill 8 birds with 1 https request here

Noooooooooooooooooooooooooooooooooooooooooooo

flow: right I'm concerned with the open federated network

Link Mauve: cname delegation is a hack that doesn't work for most of the names people want

Do people care?

Our users don’t seem to at least.

I couldn't move my names to a hosted service for instance

If they did do they have a choice?

You could, by providing us your certificates.

You have an automated way to send you certificates every 60 days?

They do have a choice, it’s only the automated setup which requires a CNAME, you can contact us for anything more specialised.

It’d be a ssh away if anyone requested that.

So far, none of our ~70 domain owners did.

moparisthebest, personally, I am not willing to give up on DNSSEC, as I think it becomes more and more available. People just overestimated how fast it would be deployed and "replace" the existing status quo. That appears to be an pattern that repeats again and again in tech

I'm not interested in XMPP for the status quo 20 years ago, I'm interested in XMPP for the real world of today

Same.

Today, when all certs are renewed every 60 days and you can't count on dnssec

I think that paints us into a corner of using https for secure delegation

But happy to have other alternatives

flow, did you say IPv6?

moparisthebest, do you want to suddenly make all of our users unable to delegate to us, unless they change their DNS configuration? :)

Zash, yep, another example was when the EU (or was it just germany?) tried to replace FM radio in cars with DAB ~10-15 years ago

Link Mauve: why wouldn't that continue to work? But they could also let you host XMPP for their top level domain while still running their own https/email etc

moparisthebest, and have to migrate their JID?

Why would anyone have to change anything?

Some of our users don’t even host an HTTP server.

It opens it up to doing this with top level domains that is not available now

Not on the apex nor anywhere else.

Right, all that continues to work...

With your solution, they would have to do so.

No, you would, you're the XMPP host ✏

It's not like srv would cease working...

Tldr we need a way to advertise quic, we need a way to pin keys, we need secure delegation

We can add another srv/srv2 record, and a replacement for posh, and end up with 4 https requests and 3 srv lookups for connection

Or, we can decide existing host-meta is the way forward for new things and extend it

Extending host-meta seems like the clear winner to me?

maybe, does one exclude the other?

I'd treat is as everything tech related, experiment with it, and see how it works out

Nooooooo, it'll catch on and then we're stuck with it forever

ha, being stuck with a kindaish works thingy forever, even though better things are available, is also a repeating pattern: xep27 anyone? or old-omemo?

but you can't stop people from "experimenting" with stuff, and if it gets momentum and adoption, than it basically can't bet stopped (and also, why would you, if it remedies an itch ppl have?)

Well you really don't want both or everyone is stuck doing all the things forever

But yea I'll probably experiment, that's what xmpp-proxy was built for