Good morning, snowy Brussels! Despite the dangers fosstodon.org/@fosdem/10152177 #FOSDEM starts. Let's now go the "ethics and blockchain" session.

Mitchell Baker speaking without slides (it seems there is a technical glitch). #FOSDEM

Now, Deb Nicholson on "Blockchain: The Ethical Considerations" (first slide: a man working on a giant strawberry)

(I'm disappointed: this big room - Janson - is not full.)

#FOSDEM

Very good talk of Tom Hacohen about the pleasures of developing a really serious privacy-oriented application. #FOSDEM

* everything is done on the client : changing the protocol requires to upgrade all clients
* data is encrypted client-side, the developer never sees the data, so cannot debug data-related issues.
#privacy #endToEndEncryption #FOSDEM

Now, a guy with a french accent on stage. "#GDPR and the right to data portability" #FOSDEM

RFC 171 on screen (about transfer of datas between centralized silos). #RFC #FOSDEM

Now, Veronika Nad on #journalism, and how it could benefit from free software. #FOSDEM

(The room is not full, which is very rare for the Decentralized Internet and Privacy devroom.)

Now, panel about #ActivityPub at #FOSDEM. Christopher Webber, Gualter Barbas Baptista "How many people in the room have read the specification?" [Several hands, including mine] "Wow, that's a lot for a specification."

"What interested you in #ActivityPub?"

"It is simple to understand"

"Because it is used in #Mastodon"

"It is about distributing power"

#FOSDEM

"#ActivityPub has a good model as a foundation: everything is actors sending messages to each other."

With such vague description, any protocol is ActivityPub...

#FOSDEM

"It would be cool to have a documentation of 'MastodonPub' [the actual protocol(s) needed to work with Mastodon] but we must not forget that #ActivityPub could be used for very different things, too." #FOSDEM

By the way, are there women working on #ActivityPub? The panel seems, at first glance, be all-male. #FOSDEM

#ActivityPub has a client-to-server protocol but nobody uses it, every ActivityPub server has its API. Is it a bad thing?

"Use cases are too different [Mastodon for chatting, Funkwhale to listen music], a common client would lead to a poor user experience."

#FOSDEM

"What I don't like in #ActivityPub is that it uses #JSON." Troll incoming, flame war ahead. #FOSDEM

What is needed for the fediverse to talk to alice@7j3ncmar4jm2r3e7.onion? Webfinger and ActivityPub can work over Tor but most Mastodon instances cannot talk Tor. #FOSDEM

Philip Homburg certifies #DNS results from his application, with #getdns.
He starts with a comparison with X.509 (1) with X.5909, you need to trust a lot of other parties 2) if the attacker controls DNS,it controls X.509 anyway). getdnsapi.net/ #DNSSEC #FOSDEM

Speaking of #getdns, a volunteer to write a monitoring plugin with getdns? monitoring-plugins.org/

Existing #DNS plugins call dig or nslookup :-(

#FOSDEM

@bortzmeyer chic :) ça fait maintenant 5 ans que j'ai mis ça en place dans le puppet d'Octopuce : un bout de script qui prend les clés SSH des serveurs et les publie dans le DNS :
dns.bortzmeyer.org/tim.octopuc

ça + VerifyHostKeyDNS yes
dans ssh_config = <3

@vincib L'orateur a bien expliqué pourquoi 'VerifyHostKeyDNS yes' était un no-op :-)

Follow

@bortzmeyer ah, (je ne suis pas au Fosdem) en quoi est-ce un Noop ?

debug1: matching host key fingerprint found in DNS
debug1: Host 'tim.octopuce.fr' is known and matches the ECDSA host key.

· Web · 1 · 0 · 0

@vincib Parce que la bibliothÚque ldns, utilisée par openssh, ne charge pas la clé de la racine, il faut le faire manuellement (et personne ne le fait). Donc, pas de validation DNSSEC.

@bortzmeyer En effet, je viens de découvrir le "found 3 insecure fingerprints ..."

@vincib Pour citer l'orateur : "this code is perfectly fine, but it doesn't work".

@bortzmeyer Je vois ça, dans openssh 7.9p1 dans openbsd-compat/getrrsetbyname-ldns.c L109, j'ai ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC */
mais aucun appel Ă  ldns_resolver_set_dnssec_anchors() :/

@vincib Oui, c'est le problÚme. (set_dnssec_anchors nécessiterait de récupérer les ancres de confiance, ce que fait getdns mais pas ldns)

@bortzmeyer Le pire c'est que le patch ne doit pas ĂȘtre bien compliquĂ©, on peut aire une ancre statique dĂ©jĂ  ...
- ajouter un paramĂštre "dnssec_anchor_file" Ă  ssh_config
- lire le fichier correspondant (exemple dans examples/ldns-dane.c fonction read_key_file ...)
- appeler ldns_resolver_set_dnssec_anchors()

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Bienvenue dans le media fédéré de la Quadrature du Net association de défense des libertés. Les inscriptions sont ouvertes et libres.
Tout compte créé ici pourra a priori discuter avec l'ensemble des autres instances de Mastodon de la fédération, et sera visible sur les autres instances.
Nous maintiendrons cette instance sur le long terme.