[Standards] Council Minutes 2020-06-24

Tedd Sterr teddsterr at outlook.com
Mon Jun 29 23:02:25 UTC 2020


1) Roll Call
Present: Zash, Georg, Daniel, Jonas, Dave

2) Agenda Bashing
No changes.

3) Editor's Update
* Calls in progress
  - LC for XEP-0338 (ends on 2020-06-30)

4) PR #963 (XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails) - https://github.com/xsf/xeps/pull/963
Jonas notes a concern raised on the mailing list about this opening up a downgrade attack vector [1], but hasn't had time to look into that yet.
Georg thinks "MUC reflection" is relevant - Jonas doesn't think it helps if there is a very unequally distributed S2S failure. Georg would appreciate input from people who are into server development and SASL and Dialback things - Zash supposes it reflects reality, except that Dialback is rare these days given the success of Let's Encrypt (and their verification is somewhat equivalent to Dialback, so doesn't really think it's a downgrade attack). Georg thinks both methods fail if one assumes the attacker is on the network path between you and the server.
Georg suggests moving this discussion to the list and explicitly asking for input from server developers - Jonas agrees, and thinks it would be great if somebody could start that thread right away. Dave doesn't think it's a downgrade attack and will start a thread explaining why in more detail.

Jonas: [on-list]
Zash: [on-list]
Georg: [on-list]
Dave: +1
Daniel: [pending]

5) Outstanding Votes
Everyone is up-to-date - back-pats all round!

6) Date of Next
2020-07-01 1500 UTC

7) AOB
Jonas asks Dave for news on the much anticipated Mandatory Fun Council Team-Building Exercise video call - Dave remembers having scribbled down a reminder to arrange it.

8) Close
Thank you everyone, Jonas, Tedd, everyone, all, Jonas, and Tedd.

[1] https://mail.jabber.org/pipermail/standards/2020-June/037592.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200629/8040c0a8/attachment.html>

More information about the Standards mailing list