[Standards] Fwd: Minutes 20140212
FYI -- Forwarded message -- From: Kevin Smith Date: Thu, Feb 13, 2014 at 9:37 AM Subject: Minutes 20140212 To: XMPP Council Room logs: http://logs.xmpp.org/council/140212/ 1) Roll call Kev, Lance, Fippo and Tobias present. Matt absent with apologies. 2) http://xmpp.org/extensions/xep-0152.html Move to Draft? +1 from those present. Matt has a fortnight to vote. 3) Select editors Consensus to select all the volunteers who weren't already on Council or Board (no consensus that Board/Council Editors are undesirable, but agreement that there were enough volunteers without doubling duties). Kev to present to Board for ratification (now done). 4) XEP-0055 XEP-0055 has a XEP-0004 based method of field selection, as well as a basic method. There was discussion at the recent summit about deprecating the non-forms based method. Agreement from those present that it was better to leave -55 as-is, and to propose a new XEP if semantics are to be changed, as 55 has been widely deployed (in varying states) for years. 5) Date of next meeting 2014-02-19 16:00Z 6) Any other business None. Fini
Re: [Standards] compression attacks
On 13 feb. 2014, at 01:04, Peter Saint-Andre stpe...@stpeter.im wrote: While working on draft-sheffer-uta-tls-attacks with Yaron Sheffer this week, he pointed out to me that the TIME and BREACH attacks might apply to application-layer compression technologies such as XEP-0138 for XMPP. I haven't looked into that in detail yet, but I figured I'd raise the issue here for discussion. Depends on what data you consider secret. Passwords shouldn't be in the compressed stream, per XEP-0170. Other highly sensitive data can be your contact list and the contents of your messages. Both of these an attacker should not be able to trigger retransmissions of, which complicates attacking them. But it's likely the attacker will be able to extract information like is jul...@example.lit on your roster?, did you receive a message from jul...@example.lit in the past 32 kB? (the zlib window size) or did you receive a message that included the phrase 'thermonuclear war' in the last 32 kB?. Thijs signature.asc Description: Message signed with OpenPGP using GPGMail