-
MSavoritias fae.ve
> Consider that an observing entity can see the certificates and pubkeys used in a TLS negotiation, so if we were to simulate SMTP or XMPP we do not just need certificates signed by a credible authority, they also need to have the respective bits set. Maybe many XMPP sites actually do not care, but XMPP certificates were supposed to have a specific XMPP flag set.
-
MSavoritias fae.ve
anyone knows what this means? i have never heard xmpp needing "special" certificates
-
Zash
There are ways to issue certificates that includes the intended protocol, which is great because then a compromised email cert couldn't be used to intercept web traffic or vice versa. However this whole area is forbidden by the Cabal so the whole thing is moot. Feel free to forget all about it.
-
MSavoritias fae.ve
ah. so that message is again a decade out of date probably :P thanks
-
Zash
I vaguely recall that TLS 1.3 may also have hidden the certificate exchange, so it may be further out of date
-
Zash
Plus XMPP services need HTTPS services these days, so you need HTTPS certs anytway.
-
MSavoritias fae.ve
right http upload and such
-
Daniel
Fwiw Conversations certificate checker actually supports that. But no CA will issue such a certificate
-
Zash
SRV names? Prosody too. It is mandated by the RFCs after all.
-
Daniel
> Plus XMPP services need HTTPS services these days, so you need HTTPS certs anytway. Those could be hosted on a separate domain though
-
Daniel
As the owner and operator of a domain hosting services having srv recoded certificates would be nice actually
-
pep.
"keyUsage" not srvnames right?
-
Daniel
But nothing we can do about it
-
pep.
Both?
-
Zash
key usage is something else
-
Daniel
There are two methods
-
Daniel
Srv and something more specific to xmpp irc
-
Daniel
But doesn't matter really
-
Zash
and why Prosody / LuaSec has hacks to allow a client certificate to be validated as if it were a server certificate...
-
moparisthebest
> and why Prosody / LuaSec has hacks to allow a client certificate to be validated as if it were a server certificate... Haha yes this was "fun" in Rust too ↺
-
Zash
Tangent https://www.openwall.com/lists/oss-security/2024/03/11/2
-
moparisthebest
Seems good
-
tmolitor
> tmolitor, why is Monal marked as "wontfix" for XEP-0377 (spam reporting)? MattJ: that's a bug, it should be planned
-
Guus
When establishing an audio/video call, should push notifications be sent to the intended recipient?
-
jonas’
yes.
-
MattJ
Definitely. In some cases Prosody even prioritizes them (e.g. sending such notifications even while the client is connected)
-
Guus
I need better triggers for push notifications, I think.
-
Guus
we currently only send them for messages with a body
-
Guus
are there any guidelines on what to push, when?
-
Guus
0357 only describes the 'how' I think.
-
MattJ
Hahaha, how long have you got? :)
-
Guus
crap.
-
MattJ
If you want to do the minimum amount of work today, wait for Push 2 to arrive, which specifies this a lot more clearly
-
MattJ
If you want to match what Prosody and ejabberd are doing today, you can start here: https://hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.markdown
-
MattJ
No guarantee that is up to date or includes everything, though
-
singpolyma
And by wait for I mean implement it today 😉
-
MattJ
Well yes, implement Push 2, but no clients support it yet :)
-
singpolyma
No production grade clients
-
MattJ
Which would be more likely to happen if it were a XEP already
-
Guus
Thanks