XSF Discussion - 2024-08-09


  1. Trung

    conversations is not considered as a small project i hope ?

  2. Daniel

    Conversations has existed before the NGI money came in and will continue to exist after. We have a business model that (sort of) works. NGI is an important initiative - it has also helped us to work on Ltt.rs - but Conversations doesn't rely on it.

  3. Trung

    ok

  4. Trung

    Daniel , somebody wants to kill you because you haven't not release C3 yet. Do you have any comment on this ?

  5. Projjal

    and I am the person who's behind this "totally serious" death threat

  6. Projjal

    😎

  7. SavagePeanut

    Trung, most of the promises of c3 have been quietly making their way to c2

  8. Projjal

    oooo

  9. dwd

    >> I've said before, terminating the "E2EE" at the server would make a lot of sense for a lot of cases. Means putting OMEMO into the server, of course, which is challenging on a number of fronts. > How is that any different from TLS? Well, I'm assuming a threat model where that level is acceptable at your end, so if you run your own server or have mutual trust with whoever does. But it would differ with just TLS at the other end.

  10. emus

    > does anyone know https://wiki.xmpp.org/web/GideonW_Application_2024 ? gonna be hard to vote for him given that info... Alex should I reach out?

  11. dwd

    I think that doesn't conform to the requirements laid out in the most boring XEP I ever wrote. Needs affiliations.

  12. emus

    moparisthebest: I have technical opinion, but "wording" is good so far. I also share your opinion in general feel free to add it to the newsletter

  13. Andrzej

    h

  14. Andrzej

    This person attempted to retract a previous message, but it's unsupported by your client.

  15. Alex

    > Alex should I reach out? I noticed this applications some days ago. Was my plan to reach out when its not getting updated. I will do this today. In the current form I cannot accept it anyway. Does anyone know the applicant?

  16. Seve

    singpolyma mentioned knowing them and that they just might have not finished updating their application

  17. Alex

    yup, this is my assumption as welll and why I wait usually before I reach out

  18. Alex

    Anyway, I just reached out, because I am traveling next week and will not have lots of time before the end of the deadline next week

  19. Seve

    Thank you and safe travels 🙂

    👍 1
  20. emus

    Alex: Thank you Alex!

  21. singpolyma

    Yes I asked that applicant and they intend to finish it but were traveling, should happen soon

    👍 1
  22. moparisthebest

    If a server has dialback enabled, and gets a cert from a remote server, when should or shouldn't it try dialback?

  23. singpolyma

    When the cert fails to verify at least

  24. moparisthebest

    I guess I'm asking for 2 seperate answers: 1. What do server implementations in the wild do now? 2. What should they do? :)

  25. moparisthebest

    > When the cert fails to verify at least Just in any way? That seems wrong no?

  26. singpolyma

    Might be nice to do it always since I'd trust dialback more than a cert

  27. moparisthebest

    I tend to think nowadays with LE the default behavior should be to only dialback on no cert at all...

  28. moparisthebest

    And so, only when TLS isn't required

  29. Zash

    Are you asking about dialback without dialback?

  30. singpolyma

    Snikket disables dialback entirely due to agreeing with you

  31. moparisthebest

    I think dialback should be disabled by default across the whole public federation for sure, and it actually seems to work fine that way for some years, but that's a different discussion :)

  32. Zash

    Dialback the protocol is bad and confusing. Dialback the abstract verification method is nice for some cases, e.g. where you can't get a cert from Let's Encrypt or somesuch.

  33. moparisthebest

    Context is from xmpp:operators@muc.xmpp.org?join where joinjabber has had an expired cert for days but didn't notice because a ton of servers connected anyway... Wondering why

  34. Zash

    Huh, I had forgotten about https://hg.prosody.im/trunk/rev/a8367f169740 which went into Prosody 0.12.0.

  35. singpolyma

    Well most were probably already connected

  36. Zash

    Yeah I don't think anyone closes connections when the certs expire.

  37. Zash

    Unless you count all those servers that agressively close idle connections.

  38. moparisthebest

    Right, but more context is this was right after a server move, so it wasn't that...

  39. moparisthebest

    > Huh, I had forgotten about https://hg.prosody.im/trunk/rev/a8367f169740 which went into Prosody 0.12.0. This seems like a good default imho

  40. Zash

    Configurations based on the previous defaults may not have been updated by everyone tho.

  41. Zash

    And that doesn't disable Dialback (the protocol), only Dialback (as a method of establishing trusted identity).

  42. dwd

    Metre always handles the XEP-0220 wire protocol, but by default only does PKIS for authentication.

  43. dwd

    PKIX, rather. :-)

  44. dwd

    So, in particular, if a remote server it's connecting to doesn't offer SASL EXTERNAL, it'll verify the cert anyway, and request dialback only if it passes.

  45. Zash

    Sounds like what Prosody does with `s2s_secure_auth = true`

  46. dwd

    And if a server connects to it, Metre verifies the cert and offers both SASL EXTERNAL and dialback - and if the server sends a <db:result/> it'll get a <db:result type='valid'/> straight back.

  47. dwd

    Metre being Metre, you can reverse all this, so it'll ignore the TLS cert and only use dialback if you really want.

  48. dwd

    As for expiry... The principle problem with an expired cert is that one can no longer discover if it's been revoked. I suppose arguably, if you're not checking for revocation status anyway, then why worry about it being expired?

  49. dwd

    And FWIW, 178 db:results received in the past 24 hours, 174 db:verify.

  50. Zash

    Got numbers on how many unique hosts do it? Hard to tell the difference between 170 hosts doing dialback once and one host doing dialback 170 times

  51. Zash

    equally tricky numbers, current s2s connections to here ({muc.}xmpp.org): 1034 Not used 7 Completed

  52. MSavoritias fae.ve

    > Context is from xmpp:operators@muc.xmpp.org?join where joinjabber has had an expired cert for days but didn't notice because a ton of servers connected anyway... Wondering why ah wasnt part of that group so that is where it was reported

  53. MSavoritias fae.ve

    what happened actually there was pretty interesting. certbot changed the directories for some reason

  54. MSavoritias fae.ve

    either way it will be fixed tomorrow as a heads up :D

  55. moparisthebest

    Right but I'm curious why so many servers connected back anyway when really they shouldn't have...

  56. Zash

    moparisthebest, set up a server with a self-signed cert but otherwise valid DNS etc so Dialback will work, try connecting to some servers and see if they Dialback and authorize the connection?

  57. Zash

    I could do this with badxmpp.eu, but it's friday and I'm lazy

  58. moparisthebest

    Yea, but that wouldn't tell me if any servers handle "untrusted cert" differently than "would be trusted but expired" for example, maybe they don't though

  59. Zash

    get a real cert, wait until it expires, don't renew it

  60. moparisthebest

    ooh or see if I have an expired one in my backups...

  61. Zash

    Daniel, > There are certificates that are valid for the XMPP domain example.com but not for the regular (HTTP) server on example.com. Where are such certificates? Not issued by any regular CAs since they're forbidden by the CA/Browser Forum

  62. Daniel

    🤷‍♂️

  63. Daniel

    Private deployments presumably

  64. Zash

    And how do we infiltrate the CA/Browser Forum to fix that? :/

  65. moparisthebest

    I think there's that srvTarget or similar? But yes not on the public federated network

  66. moparisthebest

    I'd rather convince CA folks to issue .onion certs first...

  67. Zash

    > I'd rather convince CA folks to issue .onion certs first... This is coming soon as I understand

  68. Daniel

    > I think there's that srvTarget or similar? But yes not on the public federated network There are two mechanisms. One 'generic' for srv records and one specific to xmpp

  69. Zash

    > This is coming soon as I understand Or did I dream that? I was sure I saw movement somewhere :|

  70. moparisthebest

    >> I'd rather convince CA folks to issue .onion certs first... > This is coming soon as I understand ooh exciting, I know they've talked about it for forever but I hadn't kept up to date

  71. Zash

    https://mailarchive.ietf.org/arch/msg/acme/25r41sV0_l-Fc1a-_COJn4XKxts/ constitutes some kind of movement, maybe I dreamed the rest

  72. Zash

    re SRV-ID, https://github.com/letsencrypt/boulder/issues/1309 is still depressing

  73. Zash

    Oh but https://github.com/cabforum/servercert/issues/268#issuecomment-2102926797 is more encouraging

  74. dwd

    > Got numbers on how many unique hosts do it? Hard to tell the difference between 170 hosts doing dialback once and one host doing dialback 170 times True... And this isn't really telling us muhc about whether they're reliant on it for authentication of course. I'll add the telemetry for domains, though; I'm currently missing quite a bit.

  75. moparisthebest

    I've had dialback disabled for years I think at this point and haven't seen a server I can't connect to or vice versa...

  76. singpolyma

    c.im custom domain customer but probably not much else

  77. Zash

    Do they still do c2s-only POSH?

  78. Zash

    Or rathert, do they do s2s POSH yet?

  79. Zash

    Or rather, do they do s2s POSH yet?

  80. singpolyma

    I believe posh is c2s only. I'm not sure any servers support it for s2s anyway, which is probably goid

  81. singpolyma

    I believe posh is c2s only. I'm not sure any servers support it for s2s anyway, which is probably good

  82. Zash

    There's a module for Prosody :)

  83. singpolyma

    Of course there is 🙂

  84. Zash

    I would, of course, rather see more DANE

  85. moparisthebest

    posh supports s2s and xmpp-proxy supports it on both c2s and s2s, so maybe that's why I haven't noticed anything not working lol