XSF Discussion - 2024-05-22


  1. flow

    MSavoritias fae.ve, I think there are multiple proposals. the problem isn't lack of proposals, it is lack of consensus (as so often) :)

  2. flow

    MSavoritias fae.ve, I think there are multiple proposals. the problem probably isn't lack of proposals, it is lack of consensus (as so often) :)

  3. MSavoritias fae.ve

    maybe. also lack of a person with time to actually push this forward i would say

  4. MSavoritias fae.ve

    (not pointing any fingers obviously, we all have our own projects/things)

  5. flow

    sure

  6. lovetox

    > Well iirc some domains cannot be used in a jid ever is that true? the JID spec just points to the IDNA2003 spec

  7. singpolyma

    lovetox: JIDs are encoded in unicode instead of using idna. JIDs also must pass stringprep...

  8. lovetox

    > lovetox: JIDs are encoded in unicode instead of using idna. JIDs also must pass stringprep... this sentence is on many levels wrong, maybe read https://xmpp.org/rfcs/rfc6122.html#addressing-domain As i wound have understood is, every domain is supported, especiall internationalized ones with non-ascii characters, should be no problem in xmpp

  9. singpolyma

    lovetox: yes, that section easily describes the problem

  10. lovetox

    enlighten me?

  11. singpolyma

    The domainpart is encoded as unicode

  12. singpolyma

    And then we apply stringprep

  13. singpolyma

    it's the same problem as for resources, but for domain names

  14. lovetox

    you mean we apply the nameprep profile, the profile specifically made for Internationalized Domain Names ?

  15. lovetox

    and this would be only the case if you follow the obsolete rfc6122, if you follow the rfc7622 it completely offloads to the IDNA2008 spec

  16. singpolyma

    so you would interpret https://www.rfc-editor.org/rfc/rfc7622.html#section-3.2 to mean not to run nameprep?

  17. moparisthebest

    > and this would be only the case if you follow the obsolete rfc6122, if you follow the rfc7622 it completely offloads to the IDNA2008 spec Can't do it without fracturing the public federated network

  18. lovetox

    as the whole section does not mention nameprep, it would be surprising to me if you read that

  19. lovetox

    > Can't do it without fracturing the public federated network i highly doubt it, the whole world moved from idna2003, to idna2008, email clients, browsers, etc., not saying that this is painless, but saying its impossible and no jid "ever" will be able to contain these characters .. is a bit hyperbolic

  20. lovetox

    particular for domain names i think it would be not a big deal there exist even compatibility mappings which soften the transition

  21. lovetox

    https://www.unicode.org/reports/tr46/

  22. lovetox

    are we expecting many xmpp servers running on IDNA2008 incompatible domain names?

  23. moparisthebest

    It's been a long time since I looked up the details but iirc precis isn't backwards compatible with stringprep, validates and changes JIDs differently, and there's no negotiation so: 1. The entire network, all clients and servers, have to update all at once on a flag-day (never gonna happen) 2. Bits update individually breaking everyone (so never gonna happen)

  24. lovetox

    yes and there are IDNA2003 Domains that are incompatible with IDNA2008 domains, did the world have a flag day?

  25. lovetox

    if you think im proposing everyone should uncoordinate just go for precis and yolo it

  26. moparisthebest

    We not only have domains (we could roughly check those) but also localparts we cannot check

  27. lovetox

    no, of course not, but a plan can be formulated and then executed

  28. lovetox

    yes localparts are surley the biggest problem

  29. moparisthebest

    Please do so then, but I'm skeptical it can be done

  30. lovetox

    first step would be to give server operators a tool that lets them check if they even have incompatible localparts

  31. moparisthebest

    If you pulled off a miracle and got all code updated tommorow, Arch users would be running it next week and Debian users not for a decade

  32. Zash

    For domains, registrars can just not let you register domains where there would be idna 2003 vs 2008 problems

  33. lovetox

    moparisthebest, we could also propse a new rfc, that says localpart stays the same

  34. lovetox

    and only resources and domains are upgraded

  35. Zash

    I only heard of one case where ß was involved

  36. lovetox

    yeah i think domain is the least problem, i think all servers could simply check for idna2008 compatibility and its fine

  37. lovetox

    this transition was already done by other people for us

  38. moparisthebest

    lovetox: so when you find users that are broken... Then what?

  39. moparisthebest

    You can just migrate them to another jid with... Oh right that doesn't exist 💀

  40. lovetox

    Option 1: New spec that says localpart stays at strinprep, i see no problem with that, we dont need precis there. Option 2: Tell the users with a long perioid of time, to register a new account

  41. lovetox

    Option 3: Define new MUC spec that makes nickname independent from resource -> No precis for resource necessary

  42. lovetox

    there are 3 problems, and i think they should be split up into its own solutions

  43. moparisthebest

    https://xkcd.com/1172/

  44. moparisthebest

    > Option 2: Tell the users with a long perioid of time, to register a new account "Did you just tell me to go fuck myself?" "I believe I did, Bob" https://howfuckedismydatabase.com/nosql/

  45. moparisthebest

    I would be *very* annoyed if my jid, which is the same as my email, and my name, ever had to change ever...

  46. moparisthebest

    It's not a problem for me personally but I assume some Germans out there feel the same

  47. lovetox

    you picked a bad example, precis is better for german names

  48. lovetox

    there are only 4 special chars in german, ßöäü

  49. lovetox

    öäü behave the same between strinprep and precis

  50. lovetox

    and ß is mapped in strinprep to "ss" which means the user cannot have this char in his jid

  51. lovetox

    but with precis its now possible.

  52. lovetox

    so everything fine, german usernames -> ✅️

  53. singpolyma

    yeah, the localpart and resourcepart things are annoying from time to time, but the domain one is really my main concern. if no one is actually using nameprep in their code in practise then maybe it's fine?

  54. Zash

    Is there an example of an actual problem in real life?

  55. lovetox

    thats also was interesting, everyone is always stating theoretical problems .. lets get down to it, provide tools for server operators to check their userbase

  56. lovetox

    and get some stats on it

  57. arne-brün

    For example with my jid :). But actually it wasn't really a problem

  58. Zash

    IIRC there was a domain like straße.example (xn--something) where strasse.example was owned by a different party, but I believe registrars try harder to avoid that kind of thing these days.

  59. Zash

    There's also some kind of IDNA 2008 compatibility processing so ß == ss still

  60. lovetox

    Yes I posted the link above

  61. Zash

    tr46? ah, right yes precisely

  62. singpolyma

    > thats also was interesting, everyone is always stating theoretical problems .. lets get down to it, provide tools for server operators to check their userbase I mean, the question just comes down to if any servers or clients are currently running nameprep on jids or not

  63. lovetox

    In Gajim we accept both standards

  64. lovetox

    And so in my opinion every client should

  65. lovetox

    I see no reason for a client to strictly enforce stringprep

  66. lovetox

    I see the need sometimes to pre validate a jid in the GUI. But it's ok if this check is not 100%.

  67. moparisthebest

    lovetox: do you do any normalization for display though?

  68. lovetox

    for localparts? how would that be possible?

  69. lovetox

    this is not a reversible mapping

  70. lovetox

    for a reversible mapping we have XEP-0106

  71. moparisthebest

    Well, anything, might open up some impersonation attacks

  72. Zash

    have some http://www.unicode.org/reports/tr39/ for that

  73. MSavoritias fae.ve

    dont we have this problem "simply" because we have usernames and users can pick their name in a chat?

  74. moparisthebest

    It applies to muc nicks and JID localparts the same no?

  75. lovetox

    precis filters out look a likes

  76. lovetox

    or better said, maps them

  77. lovetox

    or better said, maps them to other characters

  78. lovetox

    but to answer your question, no we dont have any measures for look a like usernames in Gajim

  79. MSavoritias fae.ve

    > It applies to muc nicks and JID localparts the same no? right that was my understanding

  80. lovetox

    here some stats i quickly gathered between precis and stringprep *just for localpart*

  81. lovetox

    Codepoints: Allowed 88476 Allowed only in nodeprep 6259 Allowed only in precis 43350 Allowed but differently mapped 72

  82. lovetox

    here i gathered all codepoints

  83. lovetox

    https://share.hoerist.com/philipp/pVfdRcGzuw4Js1hS/precis_nodeprep_analysis.txt

  84. lovetox

    i think the differnet mappings are not really a problem

  85. lovetox

    and its suprising what is allowed in nodeprep

  86. lovetox

    this is currently an allowed JID, ⢸⢸⢸⢸⢸⢸⢸⢸⢸⢸⢸⢸⢸@test.com

  87. lovetox

    :D

  88. lovetox

    or ⥂⥂⥂⥂@test.com

  89. lovetox

    i hope to god my jid preparation is not completely wrong :D

  90. lovetox

    here for resourceprep the analysis

  91. lovetox

    https://share.hoerist.com/philipp/JkU6D6KaNswNUr8j/resourceprep_preics_analysis.txt

  92. lovetox

    only 285 ! characters are only in resourceprep allowed

  93. rion

    lovetox: I'm working on a C++Qt PRECIS lib. Can you help me validate it when ready? :)

  94. lovetox

    i simply looped through the intergers 1 -> 1.000.000 and passed them to this python lib https://pypi.org/project/precis-i18n/