Logs for jdev@conference.jabber.org
[00:31:19] * left the chat.
[00:31:19] * joined the chat.
[00:44:35] * joined the chat.
[01:02:38] * left the chat.
[01:51:33] * joined the chat.
[02:20:13] * left the chat.
[02:20:13] * joined the chat.
[02:39:36] * left the chat.
[02:54:04] * joined the chat.
[02:58:19] * left the chat.
[03:58:00] * left the chat.
[04:02:39] * left the chat.
[04:13:08] * joined the chat.
[04:15:36] * joined the chat.
[04:36:00] * joined the chat.
[04:39:56] * left the chat.
[05:00:49] * joined the chat.
[05:14:21] * left the chat.
[05:30:37] * left the chat.
[07:10:16] * left the chat.
[07:23:22] * joined the chat.
[07:32:45] * joined the chat.
[07:47:57] * joined the chat.
[07:47:57] * left the chat.
[07:59:13] * joined the chat.
[08:07:10] * left the chat.
[08:13:56] * joined the chat.
[08:16:57] * joined the chat.
[08:17:32] * joined the chat.
[08:17:36] * left the chat.
[08:20:21] * joined the chat.
[08:23:57] * left the chat.
[08:30:57] * left the chat.
[08:36:23] * joined the chat.
[08:52:22] * joined the chat.
[09:10:28] * left the chat.
[09:10:28] * joined the chat.
[09:16:32] * left the chat.
[09:16:39] * left the chat.
[09:21:37] * left the chat.
[09:21:37] * joined the chat.
[09:45:03] * joined the chat.
[09:45:59] * joined the chat.
[09:49:29] * joined the chat.
[09:59:36] * left the chat.
[10:00:06] * left the chat.
[11:00:12] * joined the chat.
[11:11:56] * left the chat.
[11:11:59] * joined the chat.
[12:27:32] * joined the chat.
[12:27:33] * left the chat.
[12:29:59] * joined the chat.
[12:30:34] * left the chat.
[12:31:05] * joined the chat.
[12:34:51] * left the chat.
[12:51:01] * joined the chat.
[13:03:53] * joined the chat.
[13:15:31] * joined the chat.
[13:16:05] * left the chat.
[13:16:05] * joined the chat.
[13:32:01] * left the chat.
[13:38:00] * left the chat.
[14:32:14] * joined the chat.
[14:35:47] * joined the chat.
[14:41:11] * joined the chat.
[14:44:23] * joined the chat.
[14:45:04] * joined the chat.
[15:06:28] * left the chat.
[15:11:14] * joined the chat.
[15:11:15] * left the chat.
[15:11:51] * joined the chat.
[15:39:25] * left the chat.
[15:51:18] * joined the chat.
[15:55:21] * joined the chat.
[15:58:17] * left the chat.
[16:04:54] * left the chat.
[16:08:54] * left the chat.
[16:13:00] * left the chat.
[16:13:21] * left the chat.
[16:13:56] * joined the chat.
[16:22:32] * joined the chat.
[16:24:08] * joined the chat.
[16:34:16] * left the chat.
[16:42:36] <> stpeter, would it make sense to add active CRL & OCSP checking a requirement for http://tools.ietf.org/html/draft-saintandre-xmpp-tls-00
?
[16:42:36] * left the chat.
[16:44:27] <> Define "active"? :)
[16:45:21] <> :/
[16:45:31] <> Tricky, the way OpenSSL does things, as I understand it
[16:45:41] <> Tobias: a MUST (but we know you won't) item? I still haven't found a decent way to handle it in python
[16:45:55] <> xnyhps, some defined update interval for CRLs? i.e. once 24h for known certificates
[16:45:59] <> Lance, glad we're in good company :)
[16:46:12] <> don't you just have to fetch them manually and then feed them back into openssl?
[16:46:13] <> Tobias: Okay, that sounds good. :)
[16:46:24] <> Tobias, yes, but I'd consider this is a deployment thing
[16:47:33] <> MattJ, usage of decent cipher suites too? :)
[16:48:11] <> No, since that is configured through the application
[16:48:34] <> as are CRLs
[16:48:43] <> [citation needed]
[16:48:43] <> apparently
[16:48:45] <> MattJ: How would you know which CRLs to fetch if Prosody doesn't tell you?
[16:49:14] <> Windows has TLS as an OS API/service
[16:49:16] <> xnyhps, you already trust a list of certs, these are configured system-wide
[16:49:30] <> there the OS does CRL/OSCP checking
[16:49:32] <> Each of this has an associated CRL
[16:49:39] <> ICAs introduce problems
[16:49:49] <> linux/*bsd obviously doesn't do that
[16:50:08] <> But I don't think it's feasible to go downloading CRLs whenever we establish an s2s connection (even with caching)
[16:50:21] <> OCSP wouldn't be out of the question
[16:50:26] <> xnyhps, other than that the X.509 prosody already can read includes references to OCSP and CRLs
[16:50:30] <> But that has a bunch of its own problems as I understand it
[16:52:26] <> None of the StartCom certificates that are trusted here have the CRL URL that's on my cert.
[16:52:28] <> why can't prosody fetch the CRLs into a cache directory and feed them to openssl?
[16:58:18] <> Why doesn't Prosody just go and fetch the root certs for you while it's at it? :)
[16:59:01] <> great..that would be my next suggestion :)
[17:00:23] <> Chrome gets a syndicated CRL pushed to it.
[17:02:30] <> Obviously a PubSub problemâ„¢
[17:02:41] <> right :)
[17:07:55] <> MattJ, and i doubt you'll see a huge change, linux distros coming with CRL fetching daemons by default, i think it's up to
the application to ensure security
[17:14:21] <> Oh, CRL or OCSP checking is already a MUST in 6120.
[17:15:41] <> great...so nearly all implementations and deployments of XMPP aren't compliant :)
[17:16:22] <> Adium checks CRLs! :P (If you turn it on system wide...)
[17:16:42] <> xnyhps, if we could access the CRL via luasec, i'd be happy to write mod_crl for prosody :)
[17:20:31] * left the chat.
[17:32:18] <> stpeter, also, i don't think CRIME applies to XMPP's usage of TLS
[17:32:38] <> Tobias: yeah, it's all about cookies as I recall
[17:33:25] <> yeah..and 3rd party being able to introduce arbitrary strings into the requests
[17:33:45] <> which get compressed and encrypted along the cookies
[17:34:34] <> stpeter, but what did you want to say about session resumption? it's not a bad thing in general, is it?
[17:40:08] <> You need to be specific...which session resumption?
[17:40:16] <> TLS level
[17:40:23] <> or is it still unspecific?
[17:40:37] <> no, TLS is specific. You could have meant XMPP :)
[17:41:16] <> but in TLS there are still at least two ways of doing it, right? with the server and client caching information or only the
client, right?
[17:41:48] <> You have Session Tickets (this was the thing that is disabled in many places because of shoddy old TLS implementations), and
the older SSL session caching, yes.
[17:42:14] <> Other than security flaws in particular implementations, I am not (personally) aware of attacks against either, per se.
[17:42:51] <> well..implementations should usually be easier to fix than protocols :)
[17:43:29] <> and for mobile clients, TLS resumption can be quite useful i think
[17:43:42] <> /me has yet to check that out practically though :)
[17:44:35] * left the chat.
[17:59:49] <> /me wanders off for lunch, bbiab
[18:03:24] * joined the chat.
[18:07:59] <> Tobias, Prosody does check CRLs, because OpenSSL checks CRLs
[18:08:07] <> if the CRLs are available
[18:08:40] <> don't you have to fill CRLs or the directories to look for explicitly into OpenSSL?
[18:08:41] <> But write mod_crl if you like, then we'll talk :)
[18:09:14] <> Tobias, there is a default path, the same way trusted roots work
[18:09:34] <> and how many crls are in that default path?
[18:09:39] <> more than 0?
[18:09:53] <> and when does openssl recheck that folder?
[18:10:10] <> That depends on the system and its admin...
[18:10:15] <> It stops being my problem :P
[18:10:24] <> sure..that's the easy way
[18:10:32] <> Ok, but the hard way has issues
[18:10:43] <> why implement TLS at all...let people just run a SSL proxy in front
[18:10:54] <> ;)
[18:11:09] <> I'd probably do it that way if it was feasible :)
[18:11:24] <> I don't want to be implementing crypto stuff that's already out there
[18:11:25] <> nooo, my channel binding
[18:11:41] <> Channel binding and a few things are part of what factors into my definition of "feasible".
[18:17:56] * left the chat.
[18:27:14] * joined the chat.
[18:43:03] * left the chat.
[19:00:15] * left the chat.
[19:00:57] * joined the chat.
[19:11:04] * left the chat.
[19:13:21] * joined the chat.
[19:14:54] * joined the chat.
[19:24:31] * joined the chat.
[19:34:17] * joined the chat.
[19:34:57] * joined the chat.
[19:35:03] * joined the chat.
[19:35:59] * left the chat.
[20:00:10] * left the chat.
[20:02:29] * joined the chat.
[20:08:17] * left the chat.
[20:16:01] * joined the chat.
[20:18:09] * joined the chat.
[20:19:10] * joined the chat.
[20:20:08] * left the chat.
[20:20:09] * joined the chat.
[20:20:29] * left the chat.
[20:20:29] * joined the chat.
[20:30:51] * left the chat.
[20:30:51] * joined the chat.
[20:37:49] * left the chat.
[20:38:09] * joined the chat.
[20:38:18] * left the chat.
[20:46:09] * joined the chat.
[20:50:01] * left the chat.
[20:55:56] * left the chat.
[20:56:15] * joined the chat.
[21:00:03] * left the chat.
[21:00:05] * joined the chat.
[21:03:19] * left the chat.
[21:03:55] * joined the chat.
[21:09:25] * left the chat.
[21:16:56] * left the chat.
[21:26:42] * left the chat.
[21:26:47] * joined the chat.
[21:29:27] * left the chat.
[21:29:44] * left the chat.
[21:29:48] * left the chat.
[21:29:52] * joined the chat.
[21:34:57] * left the chat.
[21:35:02] * joined the chat.
[21:35:23] * joined the chat.
[21:38:41] * left the chat.
[21:39:05] * left the chat.
[21:45:03] * joined the chat.
[22:02:14] * left the chat.
[22:15:10] * left the chat.
[22:24:35] * joined the chat.
[22:27:40] * joined the chat.
[22:51:52] * left the chat.
[22:52:03] * left the chat.
[23:23:58] * left the chat.
[23:24:04] * joined the chat.
[23:52:37] * left the chat.