Re: [Standards] Presences of Contacts in Search Result

2015-10-19 Thread Phuong Vo 
 Cridland 
> > > To: XMPP Standards 
> > > Subject: Re: [Standards] Presences of Contacts in Search Result
> > > Message-ID:
> > > >
> > > Content-Type: text/plain; charset="utf-8"
> > >
> > >> On 16 October 2015 at 18:14, Phuong Vo  wrote:
> > >>
> > >> I am currently developing jabber client (vs Cisco Jabber server) and
> > >> facing a difficulty of getting presences of contacts (internal
> contacts,
> > >> not federated contacts) in search result if those contacts are not in
> my
> > >> contact list (not in roster). In term of XMPP protocol, could you
> please
> > >> help me how to achieve this feature? Any idea, direction are
> > appreciated.
> > > You can't, by design, in standard XMPP.
> > >
> > > The roster is not only a contact list, but also an access control list
> of
> > > which other jids are allowed to see your presence; so to see people's
> > > presence you'd need to add them to your roster. You do this by
> > subscribing
> > > to their presence via a  stanza.
> > >
> > > Dave.
> > > -- next part --
> > > An HTML attachment was scrubbed...
> > > URL: <
> >
> http://mail.jabber.org/pipermail/standards/attachments/20151016/0614f8bf/attachment-0001.html
> > >
> > >
> > > --
> > >
> > > Message: 4
> > > Date: Sat, 17 Oct 2015 12:55:50 +0200
> > > From: Goffi 
> > > To: XMPP Standards 
> > > Subject: Re: [Standards] Fwd: [Council] Minutes 20151014
> > > Message-ID: <1981379.Sl3HtCtIuH@dhcppc7>
> > > Content-Type: text/plain; charset="utf-8"
> > >
> > > Le vendredi 16 octobre 2015, 15:08:18 Kevin Smith a ?crit :
> > >> FYI
> > >>
> > >>> Begin forwarded message:
> > >>>
> > >>> From: Kevin Smith
> > >>> Date: 16 October 2015 at 15:06:51 BST
> > >>> To: XMPP Council
> > >>> Subject: [Council] Minutes 20151014
> > >>>
> > >>> 1) Roll call
> > >>> Kev, Lance, Fippo, Dave present. Matt absent (it later transpired
> he?d
> > >>> tried to send apologies and failed)
> > >>>
> > >>> 2) Website review
> > >>>
> > >>> Dave asked everyone to review all the technical content on
> > >>> http://new.xmpp.org/ for correctness
> > >
> > > The new website looks great, congrats ! I'm just wondering if "The most
> > secure
> > > messaging protocol" and "Privacy-focused" is suitable when we still
> > don't have
> > > a good popular solution for end to end encryption. I know there is work
> > on
> > > Axolotl/Omemo which fixes some stuff but:
> > > 1) it's not standardised yet
> > > 2) it seems to be focusing on chat
> > > 3) it encodes the  element instead of the whole stanza
> > >
> > > We still lack a popular end to end full stanza encryption solution.
> > >
> > > Is it possible to have a focus on end 2 end encryption for the Fosdem
> > XMPP
> > > summit ? It's a long time issue in XMPP, and I don't think we can claim
> > "the
> > > most secure messaging protocol" without this fixed.
> > >
> > >
> > > Thanks
> > > Goffi
> > >
> > >
> > > --
> > >
> > > Subject: Digest Footer
> > >
> > > ___
> > > Standards mailing list
> > > Standards@xmpp.org
> > > http://mail.jabber.org/mailman/listinfo/standards
> > >
> > >
> > > --
> > >
> > > End of Standards Digest, Vol 143, Issue 21
> > > **
> >
> >
> > --
> >
> > Message: 2
> > Date: Mon, 19 Oct 2015 09:59:50 +0200
> > From: Peter Waher 
> > To: "standards@xmpp.org" , "secur...@xmpp.org"
> > 
> > Subject: [Standards] Questions regarding Diffie-Hellman
> > Message-ID: 
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Hello
> >
> > Regarding the latest report concerning vulnerabilities in the
> > Diffie-Hellman key Exchange [1] (short introduction in [2]) and the
> lo

Re: [Standards] Presences of Contacts in Search Result

2015-10-19 Thread Phuong Vo 
> > --
> >
> > Message: 2
> > Date: Fri, 16 Oct 2015 10:14:12 -0700
> > From: Phuong Vo 
> > To: standards@xmpp.org
> > Subject: [Standards] Presences of Contacts in Search Result
> > Message-ID:
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi,
> >
> > I am currently developing jabber client (vs Cisco Jabber server) and
> facing
> > a difficulty of getting presences of contacts (internal contacts, not
> > federated contacts) in search result if those contacts are not in my
> > contact list (not in roster). In term of XMPP protocol, could you please
> > help me how to achieve this feature? Any idea, direction are appreciated.
> >
> > Thanks,
> > Phuong Vo
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> http://mail.jabber.org/pipermail/standards/attachments/20151016/f262e3cb/attachment-0001.html
> >
> >
> > --
> >
> > Message: 3
> > Date: Fri, 16 Oct 2015 20:07:32 +0100
> > From: Dave Cridland 
> > To: XMPP Standards 
> > Subject: Re: [Standards] Presences of Contacts in Search Result
> > Message-ID:
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> >> On 16 October 2015 at 18:14, Phuong Vo  wrote:
> >>
> >> I am currently developing jabber client (vs Cisco Jabber server) and
> >> facing a difficulty of getting presences of contacts (internal contacts,
> >> not federated contacts) in search result if those contacts are not in my
> >> contact list (not in roster). In term of XMPP protocol, could you please
> >> help me how to achieve this feature? Any idea, direction are
> appreciated.
> > You can't, by design, in standard XMPP.
> >
> > The roster is not only a contact list, but also an access control list of
> > which other jids are allowed to see your presence; so to see people's
> > presence you'd need to add them to your roster. You do this by
> subscribing
> > to their presence via a  stanza.
> >
> > Dave.
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> http://mail.jabber.org/pipermail/standards/attachments/20151016/0614f8bf/attachment-0001.html
> >
> >
> > --
> >
> > Message: 4
> > Date: Sat, 17 Oct 2015 12:55:50 +0200
> > From: Goffi 
> > To: XMPP Standards 
> > Subject: Re: [Standards] Fwd: [Council] Minutes 20151014
> > Message-ID: <1981379.Sl3HtCtIuH@dhcppc7>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Le vendredi 16 octobre 2015, 15:08:18 Kevin Smith a ?crit :
> >> FYI
> >>
> >>> Begin forwarded message:
> >>>
> >>> From: Kevin Smith
> >>> Date: 16 October 2015 at 15:06:51 BST
> >>> To: XMPP Council
> >>> Subject: [Council] Minutes 20151014
> >>>
> >>> 1) Roll call
> >>> Kev, Lance, Fippo, Dave present. Matt absent (it later transpired he?d
> >>> tried to send apologies and failed)
> >>>
> >>> 2) Website review
> >>>
> >>> Dave asked everyone to review all the technical content on
> >>> http://new.xmpp.org/ for correctness
> >
> > The new website looks great, congrats ! I'm just wondering if "The most
> secure
> > messaging protocol" and "Privacy-focused" is suitable when we still
> don't have
> > a good popular solution for end to end encryption. I know there is work
> on
> > Axolotl/Omemo which fixes some stuff but:
> > 1) it's not standardised yet
> > 2) it seems to be focusing on chat
> > 3) it encodes the  element instead of the whole stanza
> >
> > We still lack a popular end to end full stanza encryption solution.
> >
> > Is it possible to have a focus on end 2 end encryption for the Fosdem
> XMPP
> > summit ? It's a long time issue in XMPP, and I don't think we can claim
> "the
> > most secure messaging protocol" without this fixed.
> >
> >
> > Thanks
> > Goffi
> >
> >
> > --
> >
> > Subject: Digest Footer
> >
> > ___
> > Standards mailing list
> > Standards@xmpp.org
> > http://mail.jabber.org/mailman/listinfo/standards
> >
> >
> > --
> >
>

Re: [Standards] Stream Management and BOSH

2015-10-19 Thread Christian Schudt 
While BOSH has it's own acknowledgement mechanism, there are still some subtle 
differences when it comes to resumption:
With resumption you don't need to:
- re-request the roster
- resend presence
- re-establish state information (as mentioned in XEP-0198)

I see performance benefits (less HTTP queries), when you could just resume a 
BOSH session by means of XEP-0198.


- Christian


> Hi,
>
> I don't know if this was discussed already or not but I couldn't find
> anything trustworthy about combining Stream Management with BOSH.
>
> I'd like to hear an opinion from the community regarding using Stream
> Management over BOSH. It looks like these two can be combined but the
> questions are:
> 1. Doest this make sense?
> 2. Was Stream Management designed with BOSH in mind or only for regular TCP
> (or WS) connections?

Re: [Standards] Stream Management and BOSH

2015-10-19 Thread Matthew Wild 
On 19 October 2015 at 12:27, Michal Piotrowski
 wrote:
> Hi,
>
> I don't know if this was discussed already or not but I couldn't find
> anything trustworthy about combining Stream Management with BOSH.
>
> I'd like to hear  an opinion from the community regarding using Stream
> Management over BOSH. It looks like these two can be combined but the
> questions are:
> 1. Doest this make sense?
> 2. Was Stream Management designed with BOSH in mind or only for regular TCP
> (or WS) connections?

I agree that on the surface it doesn't make sense. However Lance Stout
provided me with an interesting use-case: using XEP-0198 allows you to
seamlessly transfer a session between TCP, BOSH and WS (in theory).

In practice, Prosody doesn't really support this (you have to resume
the session over the same transport you initiated the session on). But
it's something we're considering changing, and I don't think it would
be much work.

Regarding question 2, no, I think it's safe to say that XEP-0198 was
not designed with BOSH in mind. BOSH has its own similar functionality
built in, and except for the use-case mentioned above (assuming it
worked reliably), I don't think it makes sense to negotiate it over
BOSH.

Regards,
Matthew

Re: [Standards] Stream Management and BOSH

2015-10-19 Thread Florian Schmaus 
On 19.10.2015 13:27, Michal Piotrowski wrote:
> Hi,
> 
> I don't know if this was discussed already or not but I couldn't find
> anything trustworthy about combining Stream Management with BOSH.
> 
> I'd like to hear  an opinion from the community regarding using Stream
> Management over BOSH. It looks like these two can be combined but the
> questions are:
> 1. Doest this make sense?

No, you don't need Stream Management (XEP-198) when using BOSH.

- Florian




signature.asc
Description: OpenPGP digital signature

[Standards] Stream Management and BOSH

2015-10-19 Thread Michal Piotrowski 
Hi,

I don't know if this was discussed already or not but I couldn't find
anything trustworthy about combining Stream Management with BOSH.

I'd like to hear  an opinion from the community regarding using Stream
Management over BOSH. It looks like these two can be combined but the
questions are:
1. Doest this make sense?
2. Was Stream Management designed with BOSH in mind or only for regular TCP
(or WS) connections?

Many thanks in advance for any comment.

Best regards
Michal Piotrowski
michal.piotrow...@erlang-solutions.com

Re: [Standards] Presences of Contacts in Search Result

2015-10-19 Thread Cramer, E.R. (Eelco) 
For internal contact only you might want to check out:

http://www.xmpp.org/extensions/xep-0144.html#entities-groupservice 


If you server administrator allows it and you server supports it.

“A group service enables an administrator to centrally define and administer 
roster groups so that they can be shared among a user population in an 
organized fashion.”

"If the user has registered with a group service or been otherwise provisioned 
to use a group service, the receiving application SHOULD process roster item 
suggestions received from the service. Such processing MAY occur automatically 
(i.e., without the user's approval of each roster item or batch of roster 
items) if and only if the receiving application has explicitly informed the 
user that it will automatically process roster items from the service. 
Furthermore, the receiving application SHOULD periodically verify automatic 
processing with the user (e.g., once per session in which the service sends 
roster item suggestions to the user).”

Hope this helps.

> On 19 Oct 2015, at 12:28, Dave Cridland  wrote:
> 
> On 19 October 2015 at 00:25, Phuong Vo  > wrote:
> According to your reply, if I want to see presences of all contacts in search 
> result, I have to add them to roster. That is just fine for single endpoint; 
> however, jabber supports multiple endpoints (the same users can login on 
> multiple devices) if I do this on one endpoint, all other endpoints will see 
> searched contacts in the contact list which is weird behavior. I am not sure 
> XMPP has a workaround for this issue. Thanks for your response Dave.
> 
> You're misunderstanding.
> 
> You can only see presence for those people who have given you permission to 
> do so.
> 
> This is intentional, and a workaround would be a security issue.
> 
> Dave.



signature.asc
Description: Message signed with OpenPGP using GPGMail
This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. TNO accepts no liability 
for the content of this e-mail, for the manner in which you use it and for 
damage of any kind resulting from the risks inherent to the electronic 
transmission of messages.

Re: [Standards] Presences of Contacts in Search Result

2015-10-19 Thread Dave Cridland 
On 19 October 2015 at 00:25, Phuong Vo  wrote:

> According to your reply, if I want to see presences of all contacts in
> search result, I have to add them to roster. That is just fine for single
> endpoint; however, jabber supports multiple endpoints (the same users can
> login on multiple devices) if I do this on one endpoint, all other
> endpoints will see searched contacts in the contact list which is weird
> behavior. I am not sure XMPP has a workaround for this issue. Thanks for
> your response Dave.
>

You're misunderstanding.

You can only see presence for those people who have given you permission to
do so.

This is intentional, and a workaround would be a security issue.

Dave.

[Standards] Questions regarding Diffie-Hellman

2015-10-19 Thread Peter Waher 
Hello
 
Regarding the latest report concerning vulnerabilities in the Diffie-Hellman 
key Exchange [1] (short introduction in [2]) and the logjam attack [3], is 
there anyone with experience in securing encypted channels or 
end-to-end-encrypted channels using either 2048 bit keys or elliptic curve 
cryptography? Does anyone know to which extent there are brokers that support 
such level of cryptography? Or to what extent it is even legal to use such 
level of cryptography, and where?
 
Best regards,
Peter Waher
 
[1] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
[2] 
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange#Practical_attacks_on_Internet_traffic
[3] https://en.wikipedia.org/wiki/Logjam_(computer_security)