Dev Communiqué for July 2022
Published on July 31, 2022 by Sam Whited
Welcome back, it's been a few months! Though Mellium progress continues to be slow due to scheduling changes at my day job, we had a few important updates this month that I wanted to let everyone know about. Most importantly, a security feature developed for Mellium was recently published by the IETF as an RFC! But first, some stats for the past three months:
- 9 commits to mellium.im/xmpp from 1 contributor
- 5 commits to Communiqué
- $20.91 in donations towards sustaining Mellium development from 1 contributor
The XMPP community has historically had close ties to the IETF. Mellium recently joined that tradition by improving the way the SCRAM family of SASL authentication mechanisms interact with TLS 1.3. That sentence was a mouthful, so let's back up and go over a little terminology. XMPP uses a generic authentication framework known as the Secure Authentication and Security Layer (SASL) when a user logs in. SASL can authenticate users with different mechanisms from something as simple as sending the username and password in plain text to something more complicated like TLS certificate authentication. The Salted Challenge Response Authentication Mechanism (SCRAM) is one of those mechanisms. It is a mutual authentication mechanism that has the interesting property of letting the user log in without storing the original password on either the server or the client! SCRAM also offers another nice feature called "channel binding". Channel binding takes some piece of information that uniquely identifies a security context (in our case, a TLS session) and hashes it into the authentication exchange. This way, if the exchange is replayed over a different connection it is no longer valid. This means that the information hashed into the exchange must be unique to that specific TLS session or it could be subject to attack. This is exactly what happened with the channel bindings that were defined for TLS 1.2: after they were in use it was discovered that they were not necessarily unique so they were not re-defined for TLS 1.3. This is what our RFC does: it defines a new generic channel binding that works over TLS 1.3 using Exported Keying Material (EKM). We're very happy to finally be able to enable channel binding again, and projects such as Prosody and Conversations have already started work to support the new RFC. We also have an implementation over on the mellium.im/sasl repo that has been verified against the Prosody implementation and will be released in the next update. For more information, check out RFC 9266!
Another small piece of news is that Mellium has taken on a new project! The checkdoc command is a small Go linter that scans packages for comment and documentation related issues (ie. missing documentation for public methods). We've been using it for a while, and it was partially written for Mellium's use. Now it's joining the Mellium collection of projects and will be owned by the Co-op, whatever that means going forward. This doesn't really change anything in the short term, but it's nice to have it under the Mellium umbrella!
The rest of the updates from the last few months have mostly been around moving to Codeberg. We're happy to be hosted on a platform that follows some of the cooperative values, and moving to Codeberg is one way we can support key 6, cooperation among cooperatives, in our day to day activities.
That's all for this month; updates will likely continue to be scarce until we can drum up some funds, but we're applying for grants and trying to find a way to keep Mellium development sustainable and on pace. We'll continue to update you as we can, and, as always, would love feedback from anyone interested in being a part of Mellium Co-op!