[jdev] Heml.is and federation..

Steffen Larsen zooldk at gmail.com
Sat Jul 13 04:44:50 UTC 2013


Hi,

On Jul 12, 2013, at 11:16 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 7/12/13 1:24 PM, Matthew Wild wrote:
>> On 12 July 2013 19:56, Steffen Larsen <zooldk at gmail.com> wrote:
>>> I just stumbled upon https://heml.is, which is a new XMPP client
>>> for IOS and Android. Anyone knows these guys?
>> 
>> https://en.wikipedia.org/wiki/Peter_Sunde and others (some also
>> behind the payment service Flattr).
>> 
>>> It uses XMPP and PGP for encryption, but do any of you guys know
>>> if they federate?.. What I can see from skimming their page, its
>>> yet another silo, due to the fact of PGP and their own
>>> infrastructure. So federation and using your own domain does not
>>> seem feasible, right? Anyone want to discuss this and the
>>> alternatives besides OTR? Security labels?
>> 
>> " == Your server only? == Yes! The way to make the system secure is
>> that we can control the infrastructure. Distributing to other
>> servers makes it impossible to give any guarantees about the
>> security. We’ll have audits from trusted third parties on our
>> platforms regularily, in cooperation with our community.
>> 
>> For those interested in a bit of our tech backend infrastructure: 
>> We’re building encrypted tunnels/MPLS networks between countries,
>> with anycast ingress/egress points so that your traffic should pass
>> as few borders as possible. Messages will be sent to as close as
>> possible to the recipient, which makes it impossible for agencies
>> like NSA and FRA to see who’s talking to whom. This sort of virtual.local network makes Heml.is much more secure than a regular system
>> that can’t avoid border crossings. "

Yes I've read that. :-)

>> 
>> Needless to say I disagree with this model, or their assertions
>> (which secure s2s solves just as well).

+1, I totally agree with you about disagreeing on this model,  but we are not there yet. these guys are solving e2e encryption, s2s do not solve that alone.


> 
> I'm with you, but we don't have secure s2s. In general, XMPP server
> implementations don't perform proper (RFC 6125 / RFC 6120) certificate
> checking and don't have an option to refuse connections from domains
> that lack proper certificates. Existing XMPP deployments too often
> don't have proper certificates, either. And we need to figure out
> solutions to the multi-tenant problem (see draft-ietf-xmpp-dna and
> draft-miller-posh at the IETF, as well as eventually DNSSEC/DANE), so
> that larger hosting providers can offer and enforce secure s2s.
> 
> I know that there's work going on here (standards, server code, and
> some deployments), but it's not proceeding fast enough…
> 


That was actually my point in starting this discussion.  I actually did knew that they didn't federate, but I really just wanted to start a discussion about it.
I just really want to shout out that these guys have a big backing (both in money and in upcoming endusers) in making something that is just another silo - which makes me kinda' angry. :-)
I don't think that people signing up really realise this. Heml.is are stating XMPP standards, but are really only using c2s thingy without all of the s2s communication (fed). 

This also make me think about funding. Could we not as the XSF do more about this area? I mean these guys put up 152k$ in no time. I know that they are doing implementation and we are doing specs. But making specs takes time and if we had some more funding we might be able to develop these specs faster. I know that it is a two-edged sword, because specs needs implementations and people in the XSF have different motivation for the implementation, but surely we could move faster on the specs if we had some $?

Well it was just a thought! I just think we will be run over by people saying XMPP but really are implementing something completely non-standard to archive their goal, if we do not provide a proper solution (I know this area is not easy!).  I also know that money and foundations are not easy to handle, but we might discuss this area in Berlin, which I am hoping to join..


> Peter
> 
> - -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJR4GQWAAoJEOoGpJErxa2p3gIP/jfhqcOAhjQ+ewxKpQiiaHwd
> 0mj0dur2XndttFgurNsfRFsnc1zespJulcMktVjH6f+OB3dQtD3TxqE/OA7EgtQU
> q3IjkbxhhQH4HFiCcBvzgxF/90eQbehuPeoRYep3DvAXxuzjogOBRDjzWV2p/I9k
> zVDCkUgCk7X99+M287oUjo8hdES61jSi5wwX0S5NdGYp7Xi6yVG8uHPLTcIq5LVS
> fq0xSb/XzB6WRwfp6Fwvxka6lVLPlvmNKgDDKRo89sTPkCAKu1Eiilnxp3nUmhCy
> IXF1KKoXIOPfiq9RyO1Mpng0WUJ6EzUd4+qRofC673hhDIWogi8604eY20tY3mzR
> 8SSj9ia6iFDm0bXRoPPSUue3on8+i3cj7JyJ0oRDIsxWTqpZBDIfA05/ueBlutm+
> AbgJlS4qKg/5D1LKe6cVUwGCCFPtGxf6e0g1pn1AcELvW2WeMCbWtiu06hAWaq+6
> svIcasA/0OXdxRJqxM+3gODLM2DznK6pvUy2crPg/Wdv371qO5p2s087tCFFLI8q
> 42dTZapKOkrNHR5sfmkiyA1XyQksCibTTSP8tjYdEKHsdW0TAWeUBo2t+m1ybyr3
> +dszU+D+t5yqz9uYjeAupQQBL8Gj198HfmFMb9y4pyfiVR7IIW7DCXg6CdbBdYe4
> z4TPz2HO2BGAaVxGcY+a
> =eYSV
> -----END PGP SIGNATURE-----
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________

/Steffen


More information about the JDev mailing list