XSF Discussion - 2023-11-08


  1. harold

    Guys, for you, sip:tom@sip.domain.net and xmpp:joe@conversations.im , are DID, or URI ? Do you know examples of companies or organisations communicating with others ones, using them?

  2. larma

    harold: Those are URIs, not DIDs. DIDs are of the form did:<method>:<method-specific-id>, where the method specific ID typically looks random (is a hash or public key) and not user friendly. XMPP and SIP (among others) use federated IDs, that typically have a user-friendly name and a domain name and some separators (e.g. name@domain, @name@domain or @name:domain). As those identifiers are protocol-specific, we need to prefix them with a protocol scheme to make them URIs, that's why we have xmpp:user@domain

  3. phryk

    Does the XSF have something like a resident cryptographer? I just heard about PQXDH and am wondering whether there's already plans to integrate it into OMEMO.

  4. MSavoritias fae.ve

    the question is why integrate into omemo instead of MLS?

  5. MSavoritias fae.ve

    imo of course

  6. pep.

    phryk: there's xmpp:e2ee@muc.xmpp.org?join, but people there would probably be around here too

  7. phryk

    MSavoritias fae.ve, hadn't heard about MLS before, but there doesn't seem to be an existing XEP for it – is that something that's being worked on?

  8. MattJ

    Yes

  9. MSavoritias fae.ve

    afaik a xep for MLS is being worked on yes.

  10. MSavoritias fae.ve

    MLS is the encryption standard by IETF

  11. MattJ

    Our mid-to-long term plan is to move to MLS

  12. MSavoritias fae.ve

    its a plan? i thought it was up in the air still?

  13. MSavoritias fae.ve

    not that i disagree

  14. Daniel

    I mean plans can change obviously. But there seems to be a consensus to at least strongly explore a migration to MLS

  15. MattJ

    MSavoritias fae.ve, it's as much a plan as I think you'll get at this point, it was generally agreed at the summit, I've seen no objections

  16. MSavoritias fae.ve

    nice. :D

  17. MattJ

    It makes sense for a lot of reasons, at least for groups. I've seen suggestions that maybe we keep OMEMO for 1:1, but I think that's something that would be determined after implementation experience.

  18. phryk

    Is there an overview of MLS cryptographic properties? Like, the abstract already says it does some stuff around forward secrecy and post-compromise security, but especially metadata security and secrecy are things I'd like to see improved.

  19. Daniel

    I guess it also depends a lot on how much adoption MLS sees outside xmpp. More adoption = more libraries = easier to adopt for us

  20. MSavoritias fae.ve

    yeah. probably not at the same time remove omemo

  21. MSavoritias fae.ve

    but i would definetily see why using MLS for everything would make it easier

  22. MSavoritias fae.ve

    assuming it has libraries

  23. MattJ

    phryk, I think everything would be in the RFCs or linked from the working group page. There is some attention paid to metadata protection, but I don't know how much of that will carry over to XMPP.

  24. phryk

    Way I see it, it would be prudent to have some sort of post-quantum defense in XMPP in the next couple years and at least that long we'd still be primarily on OMEMO for E2EE. That sound about right?

  25. MattJ

    Yes, nothing happens in the broader ecosystem within 2 years :)

  26. MattJ

    That's about as long as a Debian release cycle

  27. phryk

    Well, sometimes there are surprises I get, but yeah, it's not just releasing a package, but a new standard after all. 🙂

  28. MattJ

    So even if we implemented a change in all clients *today*, you're going to have people using yesterday's clients for years

  29. MSavoritias fae.ve

    true. but the thing is changing to PQXDH sounds like a backwards incompatible change

  30. MSavoritias fae.ve

    and we already have trouble getting clients to newer omemo

  31. MSavoritias fae.ve

    the MLS RFC is here btw https://datatracker.ietf.org/doc/rfc9420/

  32. MSavoritias fae.ve

    phryk, from my reading MLS does more about metadata protection than omemo

  33. MSavoritias fae.ve

    and it has post-compromise security

  34. phryk

    Mhh, I should probably at least start thinking about adding encryption scheme tiering with messages encouraging users to upgrade to newer/better schemes with a grace period to my fork of mod_e2e_policy…

  35. MSavoritias fae.ve

    the thing it doesnt have is deniability. but omemo doesnt have great deniability either

  36. phryk

    MSavoritias fae.ve, yeah, I have the spec open, but I was hoping for a more high-level overview of things because I'm lazy and my executive functions are kinda fucked. 😛

  37. MSavoritias fae.ve

    look at the RFCs the PQXDH you mentioned could be added on top. there is or was a key exchange one either way https://datatracker.ietf.org/doc/draft-mahy-mls-x25519kyber768draft00/

  38. phryk

    btw, am I reading my chicken bones right that the move to MLS would also foreshadow a normalization of E2EE'd MUCs?

  39. MSavoritias fae.ve

    (and then mentioned in the xep)

  40. phryk

    Oh, kyber is what PQXDH is based on, too.

  41. MattJ

    phryk, yes

  42. MSavoritias fae.ve

    > btw, am I reading my chicken bones right that the move to MLS would also foreshadow a normalization of E2EE'd MUCs? not all of them. but the scaling issues yes

  43. phryk

    nice, that's a big thing for XMPP imo :3

  44. MSavoritias fae.ve

    MLS has much better scaling afaik

  45. MSavoritias fae.ve

    plus MLS can keep the people part of the group hidden. idk if that will actually happen in xmpp tho

  46. phryk

    Yeah, I still have to do a deep dive on OMEMO+MUC at some point. At least MUCs themselves already have surface-level pseudonymity, which is more than many other group chat things can say… :F

  47. phryk

    Someting akin to federated/distributed accounts would still be interesting, kind of the other end of what the metacontact XEP attempts. I hope I get properly back into working on my XMPP stuff, but it looks like I'm facing some more downtime there. 😕

  48. MSavoritias fae.ve

    you mean nomadic accounts? i would be interested in that too at some point

  49. phryk

    Yes, that would fall under that, too – but I'm more broadly interested. You could also have one account on multiple servers that automatically get shared as a metacontact so you have a failover. Or a limited form of the current in-band registration for temporary accounts. Those could also be distributed over multiple machines, possibly bound together by some unique permanently valid identifier (or not, for true anonymity).

  50. phryk

    Essentially, I'm looking at a possible future for XMPP that kinda blurs the line between a service-centered setup and true p2p.

  51. MSavoritias fae.ve

    i am exploring a client with gnunet. (aka true p2p) so a nomadic account in that setting would solve the "you lose your device/devices, you lose your data" problem

  52. MSavoritias fae.ve

    hence my interest in nomadic accounts

  53. phryk

    because service-centered coms are great for building communities, but for more security-dependent things like journalism and activism, the more ephemeral any metadata is, the better.

  54. phryk

    haven't looked into gnunet, it sounded like it shared some attributes with TOR but has a different mission?

  55. MSavoritias fae.ve

    its basically rearchitecturing the internet around identifiers instead of IPs. and a DHT to deliver messages. plus encrypted by default at the transport level

  56. MSavoritias fae.ve

    the nomadic identities i was thinking something inspired by zot for xmpp: https://hubzilla.org/help/en/developer/zot_protocol

  57. MSavoritias fae.ve

    but not sure how it would map exactly on top of it

  58. phryk

    weird… that redirects to https://hubzilla.org/help/about/about but going over a search engine has me arrive at the same url…

  59. MSavoritias fae.ve

    briar has another project like that called mailbox. in that case the "server" is just a dumb pipe for messages

  60. phryk

    ah no, different domain.

  61. MSavoritias fae.ve

    moving away of all stuff being on the server sounds good to me. but a bit unpopular inside xsf as i have seen

  62. MSavoritias fae.ve

    plus the whole problem of relisiency. you need nomadic accounts before moving stuff of the server

  63. MSavoritias fae.ve

    (i am saying nomadic accounts as a framework here. one part being moving accounts to a new device)

  64. phryk

    i think having 0 server-side metadata should only be one option and not the default. for the vast majority of people, service-based messaging is better. enables moderation and is generally more amenable to community-building.

  65. phryk

    nomadic accounts i absolutely agree on, tho i think for most people the main use would be migrating your identity when their xmpp sevice closes.

  66. MSavoritias fae.ve

    depends what model you are looking at. currently absolutely

  67. MSavoritias fae.ve

    and i agree we are missing a lot of architectural pieces to make it anywhere near viable

  68. phryk

    https://yewtu.be/watch?v=iCvhpeUp3vg "Nobody Said It Was Easy" 😛

  69. phryk

    Still XMPP is by far the best Free™ coms solution we have IMO – and the one where it's best to invest our resources.

  70. phryk

    But yeah, nomadic identities are an obvious thing to work towards, because it enables a lot of different things, at least some of which are useful to the majority of XMPP users. Mhh, I might actually mess around with that at some point, seeing as it could just be a Prosody module…

  71. MSavoritias fae.ve

    Fyi there is already a xep and systems in place for accolnt migration

  72. MSavoritias fae.ve

    But it doesnt migrate everything afaik

  73. phryk

    Oh, good to know, then there might already be an existing module I can just fuck around with, like I did with mod_e2e_policy. :>

  74. MattJ

    I think you'd probably just want a way to grant a server access to your old account

  75. MSavoritias fae.ve

    Some pointers: https://docs.modernxmpp.org/projects/portability/ https://migrate.modernxmpp.org/

  76. MattJ

    If you want that kind of migration

  77. MattJ

    It would require support from the new server, obviously, but not the old one, which is good

  78. MSavoritias fae.ve

    Yeah if you still have the client it has all the data anyway.

  79. phryk

    Mhh, will have to think about this and obviously first read into prior work. Going over the client sounds better to me intuitively, tho. 🙂

  80. phryk

    Anyhow, going to do this "work" thing now before I procrastinate half the day away. 😛

  81. pep.

    You mean you're gonna procrastinate account migration all day with work?

  82. harold

    > harold: Those are URIs, not DIDs. DIDs are of the form did:<method>:<method-specific-id>, where the method specific ID typically looks random (is a hash or public key) and not user friendly. XMPP and SIP (among others) use federated IDs, that typically have a user-friendly name and a domain name and some separators (e.g. name@domain, @name@domain or @name:domain). As those identifiers are protocol-specific, we need to prefix them with a protocol scheme to make them URIs, that's why we have xmpp:user@domain So 1234 is a sip did number where sip:1234@domain.com or xmpp:1234@domain.com are URI?

  83. MattJ

    harold, a DID is a type of URI that begins with 'did:', so 1234 is not a DID

  84. MattJ

    There is an example of what a DID looks like in the spec: https://www.w3.org/TR/did-core/#a-simple-example

  85. MattJ

    and for the second half of your question, yes, sip:1234@domain.com and xmpp:1234@domain.com are URIs

  86. harold

    > There is an example of what a DID looks like in the spec: https://www.w3.org/TR/did-core/#a-simple-example What is a DID? A Direct Inward Dial number (DID), in simple terms, is a virtual number that, for all intents and purposes, can be considered a regular phone number, with the exception that it is not attached to any POTS line (Landline). Once your configuration is ready, your DID will be the phone number that everyone in the world will call to reach you, just like any other phone number. https://wiki.voip.ms/article/FAQ

  87. harold

    Does some of you knows well sip?

  88. MattJ

    Ooook, yes, I can see the confusion :)

  89. MattJ

    What exactly is the underlying question?

  90. harold

    > What exactly is the underlying question? From me? Its about sip, but also snikket

  91. MattJ

    I'm even more interested and confused how Snikket fits into the question :)

  92. Zash

    This seems relevant to my interests https://www.rfc-editor.org/rfc/rfc9525.html

  93. Zash

    But still no movement in cabf on srvnames? :(

  94. pep.

    yay! and :(

  95. moparisthebest

    > That's about as long as a Debian release cycle We have to stop thinking in these terms, even the people who use Debian get all their XMPP clients from flatpak, most people are running on the latest release of their client

  96. singpolyma

    I certainly hope not, nor does my experience supporting users xupport this assertion

  97. singpolyma

    I certainly hope not, nor does my experience supporting users support this assertion

  98. singpolyma

    People are running year old versions of android clients even

  99. Zash

    Festina lente

  100. Kev

    Reading Eddie's Board application, and the line implying we've failed to apply for FOSDEM on time, have I missed something?

  101. moparisthebest

    If you prefer I can reword it: Even people using Debian *can* install the latest clients in a supported way with flatpak

  102. MattJ

    Kev, you've missed nothing

  103. Kev

    > , you've missed nothing Ta. I don't really understand the comment that we need to improve on this, then!

  104. MattJ

    I'm pretty sure 38c3 wasn't a case of "we missed it" either

  105. phryk

    If you want to do stuff during FOSDEM, OFFDEM will probably happen again and be a bit more lassez-faire about late reservations.

  106. Kev

    AFAIK, we *got* the usual FOSDEM stuff, which is why I'm confused.

  107. emus

    > Kev: > 2023-11-08 04:24 (GMT+01:00) > Reading Eddie's Board application, and the line implying we've failed to apply for FOSDEM on time, have I missed something? I think its wrong

  108. emus

    sorry

  109. emus

    Still, my concern is about organisation. Things should be organised with more dedication

  110. emus

    XMPP Meet-up Berlin mattj talks about "Spam, Abuse and Moderation" in 15 minutes, join via: https://meet.in-berlin.de/XMPPMeetupBerlin https://fosstodon.org/@xmpp/111368609961723465

  111. Daniel

    Holger, MattJ fwiw the Bind 2 XEP still has language the strongly suggest you have to do the MAM stuff. But as MattJ correctly pointed out clients (at least Conversations) doesn’t use this currently

  112. Daniel

    we could consider making this more optional in the XEP

  113. Daniel

    (there is a "the server MUST figure out the latest mam id) and a SHOULD include the metadata

  114. Daniel

    (there is a "the server MUST figure out the latest mam id) and a SHOULD include the metadata)

  115. MattJ

    I would like to fix the initial message race condition, but yeah, I don't think we want it to hold back SASL2 adoption if implementations are finding it hard

  116. Holger

    FWIW in principle I totally agree it's meh to leave this to clients.

  117. Holger

    Just saying it's not necessarily 'simple' to do otherwise 🙂

  118. MattJ

    Yeah

  119. Daniel

    and while MattJ and my marketing team has decided to call the whole stack FAST as a sort of catch all term, the actual fast xep is probably the last of the three XEP you want to implement

  120. Zash

    Quickly, someone backronym STACK :)

  121. MattJ

    SASL Turbo Authentication Connection Kit

  122. jonas’

    Secure, Timely Authenticated Connection Kit

  123. cal0pteryx

    Which 3? XEPs are those exactly? Searching for "fast" doesn't show relevant results on xmpp.org/extensions Something for XEP tagging maybe? :)

  124. Zash

    Hm, the Prosody module docs links to https://xmpp.org/extensions/inbox/xep-fast.html

  125. edhelas

    It is possible to have several jabber:x:data forms in a disco#info ?

  126. Daniel

    edhelas: yes

  127. lovetox

    edhelas, with different FORM_TYPE of course

  128. edhelas

    #TodayILearned

  129. Daniel

    Different extentions that put data there will each use their own form

  130. Daniel

    Otherwise you'd have to namespace the field names

  131. nicoco

    ^ This guy was accusing me of not having my code properly tested, can you believe it?

    👀 1
  132. lovetox

    code needs to iterate over all jabber:x:data nodes, and search for the correct FORM_TYPE

  133. Zash

    What will they come up with next? Accusations of not having the tests properly coded??

  134. edhelas

    0424 dropped the support of Message Fastening but not 0425, is there a specific reason for it ?

  135. s1

    hello, what's the best xmpp client for iphone, using jingle for audio/video?

  136. moparisthebest

    Monal, Siskin, or Snikket

  137. s1

    ‎09/11/2023 | 00:04:10 ‎moparisthebest‎: Monal, Siskin, or Snikket < i tried, and compared to conv/quicksy......:'(

  138. MattJ

    s1: then please provide feedback to the developers

  139. mathieui

    No devroom at fosdem then?

  140. singpolyma

    I thought it had already been approved?