[Spec] Spec (un)freezes and the spec's future

Alex // nytpu <alex (a) nytpu.com>

Hey everyone,

Solderpunk at some point mentioned a temporary spec freeze, unfreezing
for early 2021, then permanently finalizing the spec. I have no idea if
this is still the plan or not, but I still feel it would be a good idea
to discuss: what modifications would be made to the spec in an
"unfrozen" period, if any; what modifications would be made to the spec
in its permanent finalization stage; and how companion specs and the
like would be dealt with, both now and in the finalization stage.


Firstly, how spec changes should be approached in an unfrozen period, if
any of those pop up. We may be in one now, since Solderpunk updated the
spec to fix schemes? But at any rate, I believe most would agree that
the current state of debate is probably not the best in terms of
actually coming to an agreement. Not that you'll ever reach 100%
consensus, but most current debates seem pretty evenly divided which
isn't conductive to actually choosing a side to reflect in the spec. I'm
unsure how to remedy this, but I'm bringing it up.

On what changes should actually be made, in my opinion the only changes
that should be made at this point should be to fix glaring problems in
the spec. I guess that creates another problem, because people can't
even agree what a "glaring problem" is! Solderpunk's been pretty
reasonable, so I'll leave it up to them to actually decide what's a
problem and what's not, but it's a rule of thumb to say that things that
"would be nice" shouldn't be included at this point (I'm saying this as
someone who has a few would-be-nices of my own[a]). As a second rule of
thumb, I'd say no breaking changes, even if they do fix a problem in the
spec. Backwards compatibility is painful, but luckily we only have a
year and a half to deal with as opposed to the decades some projects
have to be compatible with, so hopefully it isn't as much of a hardship
as it possibly could've been.


Onto a permanent spec freeze, if such a thing would occur. I believe
making the spec totally immutable would be arrogant on our part, because
you can't pretend that it is 100% perfect. I'd say that no feature
changes, and few to no major changes in general should be made. I'd say
that there should only be three classes of changes in a finalized spec:
technological upgrades, clarifications, and error corrections.
Technological upgrades would be if a component of the stack has an
upgrade or a replacement, particularly when there's security involved.
To use TLS as an example, it would be removing TLSv2 support when TLSv3
reaches wide support. Clarifications would be just that, clarifications
of the spec in areas that are unclear or create ambiguity. Error
corrections would be fixing minor errors and edge cases that can be
fixed without breaking anything, and add no new features. This is
breaking so wouldn't count, but an example of error correction would be
the most recent spec change that adds a mandatory scheme to requests.


Finally, I'd like to address companion specs. Especially if the spec is
permanently finalized, there will be companion specs popping up all over
the place. This can be viewed as good, because it means that each spec
is nice and unix-y, doing only one thing each. This creates the problem
the web has though, where authors are expected to support an amorphous
and constantly changing group of specs and results in huge applications
that are impossible to maintain. Even if companion specs like Titan are
fine now, it leaves a huge opening for the web-ification of gemini in
the future WHEN (not if) FAANG-inspired malicious actors take an
interest in it. There are a few ways to address this, from the hardliner
approach of completely disallowing companions to the 100% inclusive
approach of creating a dedicated RFC listing. Obviously a middle ground
will have to be found, but a discussion on where exactly that may be is
warranted. You don't want to cut out useful things like titan, but you
also don't want to leave a huge extensibility window open.


A long rambling of my thoughts, but there's some discussion points (that
in hindsight should've been broken up into multiple emails) that IMO
should be addressed before any firm decisions are made regarding the
future of the spec.

~nytpu


[a]: https://lists.orbitalfox.eu/archives/gemini/2020/003748.html

-- 
Alex // nytpu
alex at nytpu.com
GPG Key: https://www.nytpu.com/files/pubkey.asc
Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B
https://useplaintext.email/

Link to individual message.

Stephane Bortzmeyer <stephane (a) sources.org>

On Sat, Dec 19, 2020 at 11:52:18PM -0700,
 Alex // nytpu <alex at nytpu.com> wrote 
 a message of 113 lines which said:

> On what changes should actually be made, in my opinion the only
> changes that should be made at this point should be to fix glaring
> problems in the spec. I guess that creates another problem, because
> people can't even agree what a "glaring problem" is!

The lack of any mention of IDN and IRI in the spec (and how to handle
them) is certainly a glaring problem. We are in 2020, we start a
completely new system, internationalization should not be an option.

> Solderpunk's been pretty reasonable, so I'll leave it up to them to
> actually decide what's a problem and what's not,

The way, I understand it, Gemini's governance is basically "Solderpunk
decides". This has good properties (it allows to keep the spec
consistent, and it avoids the committee effect) and bad ones, too
(when Solderpunk is busy with his relocation). But I agree that there
is no obvious alternative.

> As a second rule of thumb, I'd say no breaking changes, even if they
> do fix a problem in the spec. Backwards compatibility is painful,

I disagree here. I don't think that backward compatibility should be a
goal.


strengths of Gemini, when compared to, say, HTTP).


changes.


not be too complicated.

> the 100% inclusive approach of creating a dedicated RFC listing.

This approach seems reasonable. This is what the christian church did,
after all, write a canon, a list of approved texts
<https://en.wikipedia.org/wiki/Biblical_canon>.

Link to individual message.

Sean Conner <sean (a) conman.org>

It was thus said that the Great Stephane Bortzmeyer once stated:
> On Sat, Dec 19, 2020 at 11:52:18PM -0700,
>  Alex // nytpu <alex at nytpu.com> wrote 
>  a message of 113 lines which said:
> 
> > As a second rule of thumb, I'd say no breaking changes, even if they
> > do fix a problem in the spec. Backwards compatibility is painful,
> 
> I disagree here. I don't think that backward compatibility should be a
> goal.

  I agree with Stephane (as much as I might have hemmed and hawed over
supporting IDN/IDI).  If we don't fix this now, it will be *years* before
it's fixed.  Gemini is still a young protocol.

  -spc

Link to individual message.

Solderpunk <solderpunk (a) posteo.net>

On Sun Dec 20, 2020 at 11:12 AM CET, Stephane Bortzmeyer wrote:

> The way, I understand it, Gemini's governance is basically "Solderpunk
> decides". This has good properties (it allows to keep the spec
> consistent, and it avoids the committee effect) and bad ones, too
> (when Solderpunk is busy with his relocation). But I agree that there
> is no obvious alternative.

This is, indeed, pretty much the model.  I admit it is in many ways far
from ideal (although so-called "benevolent dictatorship" has a long and
not unsuccessful history in the FOSS world), although it's far from
clear to me what else can work well with a project that's supposed to be
small and simple with a clear, finite scope.

This model is clearly not sustainable in the long term (I might get hit
by a bus tomorrow), but I think this is okay because I don't view this
as a long term project.  This is a "Perfection is achieved, not when
there is nothing more to add, but when there is nothing left to take
away" kind of project.  I have no interest in regularly adding new
features or upgrading parts of stack.  So, there's no need for stable
long-term governance because at some point, and hopefully not too far
from now, things will be "done".

More on that point shortly...

Cheers,
Solderpunk

Link to individual message.

Solderpunk <solderpunk (a) posteo.net>

On Sun Dec 20, 2020 at 7:52 AM CET, Alex // nytpu wrote:

> Solderpunk at some point mentioned a temporary spec freeze, unfreezing
> for early 2021, then permanently finalizing the spec. I have no idea if
> this is still the plan or not, but I still feel it would be a good idea
> to discuss: what modifications would be made to the spec in an
> "unfrozen" period, if any; what modifications would be made to the spec
> in its permanent finalization stage; and how companion specs and the
> like would be dealt with, both now and in the finalization stage.

To be honest, I don't at this point remember precisely what I said
previously, but my hope is still to have this whole thing finalised in
the first half of 2021, and even better in the first quarter.  I'm not
sure there's much value at this point to establishing an exact schedule
with clearly demarcated frozen/unfrozen states.  The permanent freeze on
non-trivial new features I announced several months ago is, well, still
in place because that's what permanent means.  There are a few issues
under consideration right now (the IRI/IDN issue, a desire for clarity
on "streaming" responses, and some finicky point about URLs which I need
to remind myself of), and I'm preparing to start finally addressing
these things during my time off between Christmas and the New Year
(expect me to finally offer some thoughts on the IRI/IDN thing in the
new few days).  I don't envision anything else being given serious
consideration.

> Onto a permanent spec freeze, if such a thing would occur. I believe
> making the spec totally immutable would be arrogant on our part, because
> you can't pretend that it is 100% perfect.

Things don't need to be 100% perfect to be useful.  I think it's
arrogant to *aim* for perfection.  I know it's very much going against
the grain to declare than any kind of software project is "done"; I know
that people nowadays explicitly avoid using or recommending software for
the sole reason that it is no longer being actively developed.  I
honestly think this is all very strange and backwards.  If, after an
initial busy development period of a year or so, each new release of a
program does not come out after a longer delay than the last one, it
probably means either the program is poorly designed and each fix or
improvement introduces more problems than it solves, so it's doomed to be
unreliable and/or inefficient forever, or else the program's scope is
too wide or too poorly defined, in which case it is doomed to expand
forever, growing ever more complex and featureful until it inevitably
becomes poorly designed and faces the same fate above.  There's no reason
that network protocols with humble aspirations should be any different.
Things can be "finished" and remain useful as-is for decades.  Perhaps
not forever, but certainly for decades.

Gopher is a great example here.  RFC 1436 is coming up on 28 years old
now.  There are very few changes/extensions to that specification which
are so widely used in Gopherspace today as to be considered basically
mandatory.  All those changes are themselves at least 20 years old at
this point, and they're minor enough that if the RFC were updated to
include them, it would likely not grow in length by more than 10%, and
90% of the lines would remain unchanged.  Despite this fossilised
status, Gopher remains useful, in use and well-loved today, and is in
fact undergoing a small resurgence.  It's proof that if you keep things
simple enough, you can get close enough to "right" the first time, which
is very much what I'd like Gemini to achieve.  It's true Gemini is more
complicated than Gopher - but it's also, I imagine, been designed by a
larger group of people over a longer period of time than Gopher was, and
at this point has received non-trivial real-world testing.

All of which is to say that I really do want to attempt a permanent spec
freeze.  I suppose I reserve the right to change my mind if cold hard
reality proves me wrong, but for now I don't really want to bother
making plans for how to handle this.

> Finally, I'd like to address companion specs. Especially if the spec is
> permanently finalized, there will be companion specs popping up all over
> the place. This can be viewed as good, because it means that each spec
> is nice and unix-y, doing only one thing each. This creates the problem
> the web has though, where authors are expected to support an amorphous
> and constantly changing group of specs and results in huge applications
> that are impossible to maintain. Even if companion specs like Titan are
> fine now, it leaves a huge opening for the web-ification of gemini in
> the future WHEN (not if) FAANG-inspired malicious actors take an
> interest in it. There are a few ways to address this, from the hardliner
> approach of completely disallowing companions to the 100% inclusive
> approach of creating a dedicated RFC listing. Obviously a middle ground
> will have to be found, but a discussion on where exactly that may be is
> warranted. You don't want to cut out useful things like titan, but you
> also don't want to leave a huge extensibility window open.

I don't see how completely disallowing companion specs is really
possible.  I could refuse to host them or to bless them as "official",
but if they're popular enough, people will implement them anyway.  Our
strongest possible defense here, IMHO, is keeping the core protocol so
easy to implement that there is always likely to be a wide variety of
clients in popular use.  That way, companion protocols cannot gain
traction unless multiple independent client developers all agree they
are worth supporting.  Anything contentious is doomed to never achieve
more than minority support.  The wider the variety of clients in use,
the harder it is for individual actors to push divisive expansions.

This is really a two-part defense strategy.  There's a technical part,
addressed through the spec itself, which is to make sure that client
implementation remains as easy as possible, but also a cultural part.
The cultural part is to cherish diversity and encourage a DIY ethic.

Cheers,
Solderpunk

Link to individual message.

John Cowan <cowan (a) ccil.org>

On Sun, Dec 20, 2020 at 9:58 AM Solderpunk <solderpunk at posteo.net> wrote:

Things don't need to be 100% perfect to be useful.  I think it's
> arrogant to *aim* for perfection.


Author:  "I know there are some mistakes in my book; after all, it is 777
pages long!"

Editor: "If you know there are mistakes, why don't you _fix_ them?"

I know it's very much going against
> the grain to declare than any kind of software project is "done"; I know
> that people nowadays explicitly avoid using or recommending software for
> the sole reason that it is no longer being actively developed.
>

"Some software is abandoned; other software is merely finished."  --me

(If you don't care about companion protocols and Dioscuri, skip the rest.)


> Our strongest possible defense here, IMHO, is keeping the core protocol so

easy to implement that there is always likely to be a wide variety of
> clients in popular use.  That way, companion protocols cannot gain
> traction unless multiple independent client developers all agree they
> are worth supporting.


As someone whose proposed extension protocol has probably made the most
noise, I would point out that Dioscuri clients and servers will typically

at all.  Dioscuri native applications and front-end engines are not
browsers, and Dioscuri servers are more like Tomcat than like Apache.

To hold down on the number of posts, I'll just mention that the spec for
Dioscuri is now at <
https://gist.github.com/johnwcowan/d3211496ad89125c77297c6586ebe176>.  I
will probably edit it further, especially if there are changes in the
Gemini spec that also make sense for Dioscuri.  The TL;dr version of the
protocol is that the client sends a media type along with the URL; and
follows it with an appropriate body; otherwise it is the same as Gemini.

I want to specially acknowledge Sandra Snan, who said that Dioscuri needed
a server-served, client-executed programming language to make a front-end
engine programmable.  I agree, and I'm now working on just such a
language.  My sources so far are ABC (the ancestor of Python), PROMAL (a
programming language for Apple II and Commodore systems), Perl 1.0,
Microsoft Small Basic, and the libplot library, plus the ability to execute
REST requests at least via Gemini and Dioscuri.  It will have much the same
goals as Gemini (see the FAQ) insofar as they are applicable to language
design, and will be aimed at beginning and perpetual-intermediate
programmers without being too excruciating for advanced programmers.



John Cowan          http://vrici.lojban.org/~cowan        cowan at ccil.org
Her he asked if O'Hare Doctor tidings sent from far coast and she with
grameful sigh him answered that O'Hare Doctor in heaven was.  Sad was the
man that word to hear that him so heavied in bowels ruthful.  All she
there told him, ruing death for friend so young, algate sore unwilling
God's rightwiseness to withsay.   Joyce, Ulysses, "Oxen of the Sun"

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 20, 2020, at 11:12, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
>> the 100% inclusive approach of creating a dedicated RFC listing.
> 
> This approach seems reasonable. This is what the christian church did,
> after all, write a canon, a list of approved texts
> <https://en.wikipedia.org/wiki/Biblical_canon>.

Dogmatism aside, this sounds like a great, pragmatic,  way to organize the inevitable.

Cat Herders
https://www.youtube.com/watch?v=m_MaJDK3VNE

Link to individual message.

Simon <simon (a) g-n.site>

As I wrote to Solderpunk before I subscribed to this mailing list, specs 
should add something about input logging :

There is not any information about input logging. I think a page asking 
for a sensitive information must not log the user input.

For instance if the page "/sensitive" returns a 11 code if there is no 
input, then it must not log inputs when there is one.

The problem is if an application needs a user password, then even if the 
password is well stored, it will remain in plain text in logs.


It would be better to have this:

 ```
127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 11 
Password: 14
127.0.0.1 [30/Nov/2020:11:10:21 +0100] "gemini://localhost/password?" 30 / 6
127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
text/gemini 27
 ```

instead of this (this output comes from a test done with jetforce):

 ```
127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 11 
Password: 14
127.0.0.1 [30/Nov/2020:11:10:21 +0100] 
"gemini://localhost/password?secret_password" 30 / 6
127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
text/gemini 27
 ```

Logging normal Input and not sensitive input can be annoying. **It can 
be considered to not log any input as an easier way.** Then all input 
can be considered as sensitive + sensitive inputs needs to prevent 
shoulder surfers in addition.

Also, sensitive inputs should not remain in the client history if there 
is one.

Link to individual message.

Simon <gemini (a) g-n.site>

As I wrote to Solderpunk before I subscribed to this mailing list, specs 
should add something about input logging :

There is not any information about input logging. I think a page asking 
for a sensitive information must not log the user input.

For instance if the page "/sensitive" returns a 11 code if there is no 
input, then it must not log inputs when there is one.

The problem is if an application needs a user password, then even if the 
password is well stored, it will remain in plain text in logs.


It would be better to have this:

 ```
127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 11 
Password: 14
127.0.0.1 [30/Nov/2020:11:10:21 +0100] "gemini://localhost/password?" 30 / 6
127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
text/gemini 27
 ```

instead of this (this output comes from a test done with jetforce):

 ```
127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 11 
Password: 14
127.0.0.1 [30/Nov/2020:11:10:21 +0100] 
"gemini://localhost/password?secret_password" 30 / 6
127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
text/gemini 27
 ```

Logging normal Input and not sensitive input can be annoying. **It can 
be considered to not log any input as an easier way.** Then all input 
can be considered as sensitive + sensitive inputs needs to prevent 
shoulder surfers in addition.

Also, sensitive inputs should not remain in the client history if there 
is one.

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 21, 2020, at 22:30, Simon <gemini at g-n.site> wrote:
> 
> As I wrote to Solderpunk before I subscribed to this mailing list, specs 
should add something about input logging :

Two points:

- Usually, a spec is not meant to mandate implementation details.. i.e. do 
that, don't do that... as it has no mean to enforce any of it... its role 
is rather to describe a normative interaction (the protocol) or format (text/gemini). 

- The gemini protocol is not well tailored to handle anything sensitive. 
Perhaps best to avoid creating such situation in the first place. 

That said, Gemini could sport a set of recommendation and/or "best 
practices" in a companion document, such as "be mindful of what you log as 
it may contain sensitive information" and "consider using the underlying 
TLS mechanism for strong authentication". 

Also, it is quite common for a RFC to sport a "security consideration" section:

Guidelines for Writing RFC Text on Security Considerations
https://tools.ietf.org/html/rfc3552

Actually, it's mandatory.

Hopefully, Gemini will mature into a proper set of RFCs, with syntax 
grammar, security considerations, and all. Until then, the FAQ may be 
another place to park such consideration.

Finally, The National Institute of Standards and Technology has a rather 
comprehensive document on the matter:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

Perhaps a bit overwhelming at first sight, but then again, nothing is as 
trivial as it seems.

Link to individual message.

Stephane Bortzmeyer <stephane (a) sources.org>

On Mon, Dec 21, 2020 at 11:10:46PM +0100,
 Petite Abeille <petite.abeille at gmail.com> wrote 
 a message of 44 lines which said:

> - Usually, a spec is not meant to mandate implementation
> details.. i.e. do that, don't do that... as it has no mean to
> enforce any of it... its role is rather to describe a normative
> interaction (the protocol) or format (text/gemini).

In another way: the spec of a network protocol is here to allow

influence on interoperability.

> - The gemini protocol is not well tailored to handle anything
> sensitive.

Why? At least for privacy, it is certainly better than HTTPS.

> That said, Gemini could sport a set of recommendation and/or "best
> practices" in a companion document, such as "be mindful of what you
> log as it may contain sensitive information" and "consider using the
> underlying TLS mechanism for strong authentication".

Good idea. A good example is RFC 8932. It is for DNS servers but its
method can be applied to Gemini servers easily. For instance, it
contains a very good and detailed discussion of IP addresses "anonymization".

gemini://gemini.bortzmeyer.org/rfc-mirror/rfc8932.txt

> Guidelines for Writing RFC Text on Security Considerations
> https://tools.ietf.org/html/rfc3552

Or on the geminispace

gemini://gemini.bortzmeyer.org/rfc-mirror/rfc3552.txt

> Finally, The National Institute of Standards and Technology has a rather 
comprehensive document on the matter:

Since one of the goals of Gemini is privacy, I don't think that
relying on an US official document is a good idea.

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 22, 2020, at 08:42, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> On Mon, Dec 21, 2020 at 11:10:46PM +0100,
> Petite Abeille <petite.abeille at gmail.com> wrote 
> a message of 44 lines which said:
> 
>> - Usually, a spec is not meant to mandate implementation
>> details.. i.e. do that, don't do that... as it has no mean to
>> enforce any of it... its role is rather to describe a normative
>> interaction (the protocol) or format (text/gemini).
> 
> In another way: the spec of a network protocol is here to allow
> *interoperability*. Unilateral actions (such as logging) has no
> influence on interoperability.

Right. The specification should concern itself with interoperability.

> 
>> - The gemini protocol is not well tailored to handle anything
>> sensitive.
> 
> Why? At least for privacy, it is certainly better than HTTPS.

I'm not a security expert, so I will spare myself the embarrassment of 
articulating a cogent answer, but by "sensitive" I understood "secure". 

There are different aspects to security: data at rest vs data in transit 
vs data in use, etc.

A threat model helps as well: https://blog.ivanristic.com/2009/09/ssl-threat-model.html

In any case, all above my pay grade. Perhaps someone with actual expertise 
in this domain could help out. 

Privacy is something else altogether.

> 
>> That said, Gemini could sport a set of recommendation and/or "best
>> practices" in a companion document, such as "be mindful of what you
>> log as it may contain sensitive information" and "consider using the
>> underlying TLS mechanism for strong authentication".
> 
> Good idea. A good example is RFC 8932. It is for DNS servers but its
> method can be applied to Gemini servers easily. For instance, it
> contains a very good and detailed discussion of IP addresses "anonymization".
> 
> gemini://gemini.bortzmeyer.org/rfc-mirror/rfc8932.txt

Nice.

> 
>> Guidelines for Writing RFC Text on Security Considerations
>> https://tools.ietf.org/html/rfc3552
> 
> Or on the geminispace
> 
> gemini://gemini.bortzmeyer.org/rfc-mirror/rfc3552.txt

Let's split the difference:

https://portal.mozz.us/gemini/gemini.bortzmeyer.org/rfc-mirror/rfc3552.txt

In general, would people prefer gemini links? or http ones?

Accessibility is an issue. At this conjuncture, I do not have the proper 
tooling to systematically provide gemini links by default.  

> 
>> Finally, The National Institute of Standards and Technology has a 
rather comprehensive document on the matter:
> 
> Since one of the goals of Gemini is privacy, I don't think that
> relying on an US official document is a good idea.
> 

This is a technical document, not a political pamphlet. Let's keep it that way.

By the same account, avoid ARPANET and its decedents. A creation of the 
United States Department of Defense.

Let's not be overly childish.

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 22, 2020, at 08:42, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> Since one of the goals of Gemini is privacy

While at it, has this assertion been validated in any ways? Is Gemini 
actually private in any meaningful way?

Just sticking a 'TLS'  sticker on it a calling it done seem cavalier.

Again, a bit above my pay grade, but between the small size of the user 
base, more or less static IP addresses, unique TLS variations, not to 
mention long lived TLS client side certificates, all forming a nice and 
easy digital fingerprint, Gemini could be a privacy minefield in practice.

Has someone the tooling and expertise to weight in one way or another?

Link to individual message.

Stephane Bortzmeyer <stephane (a) sources.org>

On Tue, Dec 22, 2020 at 10:07:11AM +0100,
 Petite Abeille <petite.abeille at gmail.com> wrote 
 a message of 23 lines which said:

> > Since one of the goals of Gemini is privacy
> 
> While at it, has this assertion been validated in any ways?

It is a *goal*. It does not have to be "validated". I did not say this
goal was reached.

> Is Gemini actually private in any meaningful way?

AFAIK, there was no serious security/privacy evaluation of Gemini
yet.

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 22, 2020, at 10:54, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> On Tue, Dec 22, 2020 at 10:07:11AM +0100,
> Petite Abeille <petite.abeille at gmail.com> wrote 
> a message of 23 lines which said:
> 
>>> Since one of the goals of Gemini is privacy
>> 
>> While at it, has this assertion been validated in any ways?
> 
> It is a *goal*. It does not have to be "validated". I did not say this
> goal was reached.

Perhaps worthwhile validating such aspiration, practically speaking, in 
the field. Otherwise, it sounds like a lot of empty words.

I do not volunteer, as I don't have the skills. Anyone with such skillset?

> 
>> Is Gemini actually private in any meaningful way?
> 
> AFAIK, there was no serious security/privacy evaluation of Gemini
> yet.

That would be a valuable insight.

PSA: Anyone around the gemini space with such expertise?

Link to individual message.

Stephane Bortzmeyer <stephane (a) sources.org>

On Tue, Dec 22, 2020 at 09:40:42AM +0100,
 Petite Abeille <petite.abeille at gmail.com> wrote 
 a message of 91 lines which said:

> > Since one of the goals of Gemini is privacy, I don't think that
> > relying on an US official document is a good idea.
> 
> This is a technical document, not a political pamphlet. Let's keep
> it that way.

When, it comes to logging, there is no such thing as a purely technical
document. Since surveillance is a big issue and a big concern on the
Internet, logging is always very political.

> By the same account, avoid ARPANET and its decedents. A creation of
> the United States Department of Defense.

Completely unrelated. We do not talk about a tool (which may be used
in different ways) but about recommendations from an US agency.

> Let's not be overly childish.

Then, wise grown-up, tell me how to reconcile the US view "personal
data are free to use" with the GDPR view "personal data are like
plutonium, handle with care".

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 22, 2020, at 18:30, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> Then, wise grown-up

Surely a case of mistaken identity :P

> , tell me how to reconcile the US view "personal
> data are free to use" with the GDPR view "personal data are like
> plutonium, handle with care".

International Safe Harbor Privacy Principles
https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

But in practice, they don't. This is why you end up with a data center in 
Dallas vs one in Frankfurt. There are various other complications, 
industry specific, such as healthcare and finance to name but two.

Not sure where this leaves California.

Link to individual message.

Jason McBrayer <jmcbray (a) carcosa.net>

Alex // nytpu <alex at nytpu.com> writes:

> Finally, I'd like to address companion specs. Especially if the spec
> is permanently finalized, there will be companion specs popping up all
> over the place.

An article I'm procrastinating on writing deals with companion specs;
maybe I'll even get it out the door one day. The tldr; is that they
shouldn't exist. The use of HTTP and its companions to implement any
arbitrary application is an aberration, and it shouldn't be looked at as
the norm for new/smol protocols. Applications should define a public
protocol that meets their needs, and people should choose applications
using those protocols. Don't build a forum on top of Gemini: spin up an
NNTP server[1].

Jason McBrayer/GCU Prosthetic Conscience

[1]: I'm actually pondering working on a successor protocol to NNTP -
     email me directly if interested.

-- 
+-----------------------------------------------------------+
| Jason F. McBrayer                    jmcbray at carcosa.net  |
| A flower falls, even though we love it; and a weed grows, |
| even though we do not love it.            -- Dogen        |

Link to individual message.

Luke Emmet <luke.emmet (a) orlando-lutes.com>



On 21-Dec-2020 20:00, Simon wrote:
> As I wrote to Solderpunk before I subscribed to this mailing list, 
> specs should add something about input logging :
>
> There is not any information about input logging. I think a page 
> asking for a sensitive information must not log the user input.
>
> For instance if the page "/sensitive" returns a 11 code if there is no 
> input, then it must not log inputs when there is one.
>
> The problem is if an application needs a user password, then even if 
> the password is well stored, it will remain in plain text in logs.
>
>
> It would be better to have this:
>
> ```
> 127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 
> 11 Password: 14
> 127.0.0.1 [30/Nov/2020:11:10:21 +0100] "gemini://localhost/password?" 
> 30 / 6
> 127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
> text/gemini 27
> ```
>
> instead of this (this output comes from a test done with jetforce):
>
> ```
> 127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 
> 11 Password: 14
> 127.0.0.1 [30/Nov/2020:11:10:21 +0100] 
> "gemini://localhost/password?secret_password" 30 / 6
> 127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
> text/gemini 27
> ```
>
> Logging normal Input and not sensitive input can be annoying. **It can 
> be considered to not log any input as an easier way.** Then all input 
> can be considered as sensitive + sensitive inputs needs to prevent 
> shoulder surfers in addition.
>
> Also, sensitive inputs should not remain in the client history if 
> there is one.

Hello

The general problem is we cannot know which are sensitive URLs and which 
are not.

All parameterised gemini URLs are shareable and linkable - and like HTTP 
GET requests, persistable, somewhat-cacheable and promiscuous. That is 
the normal state of affairs and why the hyperlink powers the internet.

So if I have a URL gemini://host/endpoint?foo - tell me, is foo 
sensitive or not? The answer is we dont know. I can link to this from 
another website.

In my opinion it was a mistake to add the status 11 which lends a false 
sense of security. The URLs creates are in no way distinguishable from 
other URLs. Passing a password in a URL is a terrible choice.

Obviously a server might have some heuristics about what is probably 
sensitive,  some end points might be more sensitive, some not. But there 
is nothing intrinsic to any URL that will indicate this. It is in my 
opinion bad design to build your app to use a password or other 
sensitive info on the URL.

  - Luke

-- 
______________________________________

Orlando Lutes
http://www.orlando-lutes.com

Link to individual message.

Luke Emmet <luke (a) marmaladefoo.com>


On 21-Dec-2020 20:00, Simon wrote:
> As I wrote to Solderpunk before I subscribed to this mailing list, 
> specs should add something about input logging :
>
> There is not any information about input logging. I think a page 
> asking for a sensitive information must not log the user input.
>
> For instance if the page "/sensitive" returns a 11 code if there is no 
> input, then it must not log inputs when there is one.
>
> The problem is if an application needs a user password, then even if 
> the password is well stored, it will remain in plain text in logs.
>
>
> It would be better to have this:
>
> ```
> 127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 
> 11 Password: 14
> 127.0.0.1 [30/Nov/2020:11:10:21 +0100] "gemini://localhost/password?" 
> 30 / 6
> 127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
> text/gemini 27
> ```
>
> instead of this (this output comes from a test done with jetforce):
>
> ```
> 127.0.0.1 [30/Nov/2020:11:10:15 +0100] "gemini://localhost/password" 
> 11 Password: 14
> 127.0.0.1 [30/Nov/2020:11:10:21 +0100] 
> "gemini://localhost/password?secret_password" 30 / 6
> 127.0.0.1 [30/Nov/2020:11:10:22 +0100] "gemini://localhost/" 20 
> text/gemini 27
> ```
>
> Logging normal Input and not sensitive input can be annoying. **It can 
> be considered to not log any input as an easier way.** Then all input 
> can be considered as sensitive + sensitive inputs needs to prevent 
> shoulder surfers in addition.
>
> Also, sensitive inputs should not remain in the client history if 
> there is one.

Hello

The general problem is we cannot know which are sensitive URLs and which 
are not.

All parameterised gemini URLs are shareable and linkable - and like HTTP 
GET requests, persistable, somewhat-cacheable and promiscuous. That is 
the normal state of affairs and why the hyperlink powers the internet.

So if I have a URL gemini://host/endpoint?foo - tell me, is foo 
sensitive or not? The answer is we dont know. I can link to this from 
another website.

In my opinion it was a mistake to add the status 11 which lends a false 
sense of security. The URLs creates are in no way distinguishable from 
other URLs. Passing a password in a URL is a terrible choice.

Obviously a server might have some heuristics about what is probably 
sensitive,  some end points might be more sensitive, some not. But there 
is nothing intrinsic to any URL that will indicate this. It is in my 
opinion bad design to build your app to use a password or other 
sensitive info on the URL.

  - Luke

Link to individual message.

Simon <gemini (a) g-n.site>


Maybe we should move this thread if it continues, since it is not spec 
but recommendation. And actually, reading again the solderpunk answer: 
he told me that it is going on good practice and not spec. ^^'

On 12/22/20 7:35 PM, Luke Emmet wrote:
> 
> On 21-Dec-2020 20:00, Simon wrote:
>>  **It can be considered to not log any input as an easier way.** Then all input 
>> can be considered as sensitive + sensitive inputs needs to prevent 
>> shoulder surfers in addition.
>>
>> Also, sensitive inputs should not remain in the client history if 
>> there is one.
> 
> The general problem is we cannot know which are sensitive URLs and which 
> are not. 

Then we agree on that !

I just wanted to show that we are easily thinking gemini input as HTTP 
GET parameters, but they aren't, even if they are passed in the URL. The 
only way to not deal with this server side problem, would be to not log 
any input.

Link to individual message.

Robert khuxkm Miles <khuxkm (a) tilde.team>

December 22, 2020 1:56 PM, "Simon" <gemini at g-n.site> wrote:

> The only way to not deal with this server side problem, would be to not log any input.

Or just don't bother. If someone's building an application that takes 
passwords as Gemini input, that's their prerogative, especially with 
client certs being a first class citizen in Gemini.

Just my two cents,
Robert "khuxkm" Miles

Link to individual message.

Stephane Bortzmeyer <stephane (a) sources.org>

On Tue, Dec 22, 2020 at 01:28:30PM -0500,
 Jason McBrayer <jmcbray at carcosa.net> wrote 
 a message of 25 lines which said:

> An article I'm procrastinating on writing deals with companion
> specs; maybe I'll even get it out the door one day. The tldr; is
> that they shouldn't exist. The use of HTTP and its companions to
> implement any arbitrary application is an aberration,

But what about "side specifications" such as robots.txt?

Link to individual message.

Petite Abeille <petite.abeille (a) gmail.com>



> On Dec 22, 2020, at 20:42, Stephane Bortzmeyer <stephane at sources.org> wrote:
> 
> But what about "side specifications" such as robots.txt?

Or "Implementation Recommendation" (aka lesson learned, ~faq, etc )?, such as 

IMAP4 Implementation Recommendations
https://tools.ietf.org/html/rfc2683

Link to individual message.

Luke Emmet <luke (a) marmaladefoo.com>



On 22-Dec-2020 18:56, Simon wrote:
>
>> The general problem is we cannot know which are sensitive URLs and 
>> which are not. 
>
> Then we agree on that !
>
> I just wanted to show that we are easily thinking gemini input as HTTP 
> GET parameters, but they aren't, even if they are passed in the URL. 
> The only way to not deal with this server side problem, would be to 
> not log any input.

Except - au contraire - they are indeed very like HTTP GET parameters, 
ticking the same boxes just like HTTP

[x] part of the URL syntax
[x] linked to a client UI behaviour
[x] opaque, server-specific semantics
[x] replayable when the link is shared elsewhere
[x] largely indistinguishable from other elements of the URL submitted 
to the server (e.g. host/foo/bar ~ host/foo?bar)

I know the web is officially persona-non-grata round these parts, but 
URL semantics are more or less common when using them for a distributed 
hypertext system of webspace or geminispace

Regards

  - Luke

Link to individual message.

---

Previous Thread: [tech] the duplo protocol

Next Thread: [ANN] a tiny Gemini server written in Ruby