XSF Discussion - 2024-03-12


  1. MSavoritias fae.ve

    > Consider that an observing entity can see the certificates and pubkeys used in a TLS negotiation, so if we were to simulate SMTP or XMPP we do not just need certificates signed by a credible authority, they also need to have the respective bits set. Maybe many XMPP sites actually do not care, but XMPP certificates were supposed to have a specific XMPP flag set.

  2. MSavoritias fae.ve

    anyone knows what this means? i have never heard xmpp needing "special" certificates

  3. Zash

    There are ways to issue certificates that includes the intended protocol, which is great because then a compromised email cert couldn't be used to intercept web traffic or vice versa. However this whole area is forbidden by the Cabal so the whole thing is moot. Feel free to forget all about it.

  4. MSavoritias fae.ve

    ah. so that message is again a decade out of date probably :P thanks

  5. Zash

    I vaguely recall that TLS 1.3 may also have hidden the certificate exchange, so it may be further out of date

  6. Zash

    Plus XMPP services need HTTPS services these days, so you need HTTPS certs anytway.

  7. MSavoritias fae.ve

    right http upload and such

  8. Daniel

    Fwiw Conversations certificate checker actually supports that. But no CA will issue such a certificate

  9. Zash

    SRV names? Prosody too. It is mandated by the RFCs after all.

  10. Daniel

    > Plus XMPP services need HTTPS services these days, so you need HTTPS certs anytway. Those could be hosted on a separate domain though

  11. Daniel

    As the owner and operator of a domain hosting services having srv recoded certificates would be nice actually

  12. pep.

    "keyUsage" not srvnames right?

  13. Daniel

    But nothing we can do about it

  14. pep.

    Both?

  15. Zash

    key usage is something else

  16. Daniel

    There are two methods

  17. Daniel

    Srv and something more specific to xmpp irc

  18. Daniel

    But doesn't matter really

  19. Zash

    and why Prosody / LuaSec has hacks to allow a client certificate to be validated as if it were a server certificate...

  20. moparisthebest

    > and why Prosody / LuaSec has hacks to allow a client certificate to be validated as if it were a server certificate... Haha yes this was "fun" in Rust too

  21. Zash

    Tangent https://www.openwall.com/lists/oss-security/2024/03/11/2

  22. moparisthebest

    Seems good

  23. tmolitor

    > tmolitor, why is Monal marked as "wontfix" for XEP-0377 (spam reporting)? MattJ: that's a bug, it should be planned

  24. Guus

    When establishing an audio/video call, should push notifications be sent to the intended recipient?

  25. jonas’

    yes.

  26. MattJ

    Definitely. In some cases Prosody even prioritizes them (e.g. sending such notifications even while the client is connected)

  27. Guus

    I need better triggers for push notifications, I think.

  28. Guus

    we currently only send them for messages with a body

  29. Guus

    are there any guidelines on what to push, when?

  30. Guus

    0357 only describes the 'how' I think.

  31. MattJ

    Hahaha, how long have you got? :)

  32. Guus

    crap.

  33. MattJ

    If you want to do the minimum amount of work today, wait for Push 2 to arrive, which specifies this a lot more clearly

  34. MattJ

    If you want to match what Prosody and ejabberd are doing today, you can start here: https://hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.markdown

  35. MattJ

    No guarantee that is up to date or includes everything, though

  36. singpolyma

    And by wait for I mean implement it today 😉

  37. MattJ

    Well yes, implement Push 2, but no clients support it yet :)

  38. singpolyma

    No production grade clients

  39. MattJ

    Which would be more likely to happen if it were a XEP already

  40. Guus

    Thanks