robryk @robryk@qoto.org
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
Critical thoughts about Mastodon
I'm sorry, I think I managed to misconvey my question badly.
I wanted to ask about the reason why your experience _with harassment_ over email is better. You mentioned (IIUC) that it's better because it's easier to ignore there; I wonder whether the presumably smaller volume of harassment (in absolute terms) is also important. (If this is the question you were responding to, then I'm very confused by your answer.)
Critical thoughts about Mastodon
Is the difference between fedi and email for you mostly a matter of expectations, or does volume of unwanted messages also play an important role (given that you don't publish your email in a very obvious way, I'd expect the volume to be much smaller for email, but maybe I'm way off)?
robryk
boosted
https://x.com/kayseesee/status/1725587747279380831
For people not wanting to click Twitter links:
> I am proud to present you the pre-print of our paper on GWP-ASan. 5+ years of work by four companies, spanning Server, Desktop, and Mobile, running on billions of devices. Finding and fixing thousands of bugs and potential vulnerabilities.
@Martin__Hope@sueden.social @freistern
Es ist auch immer ein bisschen schlimmer am Weihnachten: die Lüftung ist mehr mangelhaft und Leute fühlen ein grösseres Zwang um das Feier nicht zu vermissen (weil es nur einmal pro Jahr gibt).
@anarchiv for a reason I don't know my city doesn't want any teabags in is compost collection; maybe it's because people won't be able to distinguish though
@grimfrenzy@mstdn.social @delroth if the code of conduct is intended to inform people who might wish to join the community (which I believe they are; otherwise there would be no need to publish them), you also have the case of someone who's scrupulous enough to read it before doing anything else in the community.
All will be fine until the whistle randomly stops working and you melt the kettle (speaking from experience :)).
I think I had the same feeling. In both cases I initially found a lot of descriptions aimed to using git/nix for various things, which didn't help at all with building a model of how things work. For git the thing that made me understand it was a description (that I since lost track of) that described all the typical operations in terms of how they affect the commit graph (and described explicitly that commits are actually trees and the diffs are just diffs between them). For nix, the thing that helped me in a similar way was https://nixos.org/guides/nix-pills/, even though they felt less complete.
Note that this breaks down somewhat for flakes that provide something other than a package or a system configuration (a module, or an overlay, or a flake template).
Why MAY is so negative? I think I saw it often used to indicate something that's a reasonable thing to do, but not something the RFC wanted to make a recommendation about either way (except to point out that the possibility exists and doesn't contravene any other requirements).
nitpicking
Embedded software waiting on the hardware? Then it might be the hardware developer who has failed.
I also wonder what you think about software whose only point is communicating with a particular remote thing in a synchronous way: it needs to do _something_ while it establishes the connection.
@kravietz @Natanox @europarl_en @EU_Commission
OK, so I'm back to my original opinion of "this will not work as intended[1], might be harmful and contravenes the approach of giving people more choice as long as it doesn't harm others directly, but it's by far not the most important thing right now".
I would have really liked if this was aimed at creating a binding between domain names and identities, but eh~~
[1] because _everything_ in whatwg specs assumes that documents in the same origin implicitly trust each other and their own resources
@kravietz @Natanox @europarl_en @EU_Commission
> nothing in eIDAS prevents anyone, including Mozilla or Google, from monitoring and running checks on both their (CABForum/WebTrust) and QWAC certificates the way CT does
And yet we consider that to be insufficient for web certificates and require CAs to preregister their certs in sufficiently many independent CT logs.
> and result in a huge shit storm, that would in the first place impact the QCA that issued it and result in its removal from the EU TSL.
I am uncertain of the size of shitstorm and of this result, esp. when there's some kind of an excuse for the behaviour, esp. given the very imprecise definition of what's a valid domain name in Annex IV (if there was a document that was binding for the QWCA CAs (and whose contravention was likely to lead to their penalization) that specified this more precisely I would very likely change my mind).
I would also like to reiterate that _as long as untrusted entities can generate DV certs for your site_ any properties of your certs are mostly meaningless. First, those entities can MitM _some_ of the connections to your site, and TTBOMK browsers show the EV properties based on the connection used to load the actual document. Anything else could be loaded from someone presenting a different cert, or could have been cached since weeks ago (yes, this is a way in which cert expiry and revocation is kinda broken). Secondly, if the site gives some private data to the user, whoever has a DV cert for that site can get at that data with basically no user interaction (redirect them from any other site they visit to this site, etc.).
The only way these properties are meaningful is by providing a binding between the organization name and domain name.
One other neutrino detector whose name escapes me was measuring paths of charged particles (products of neutrino interactions) by having them induce current in a wire, and did that multiple times for each particle to find its velocity and position. (Obviously each such interaction changed the particle's path.)
@kravietz @Natanox @europarl_en @EU_Commission
And, now that I think of this more, what does "wrong" domainname mean? Normally this means "different than what DNS claims", with a dispute resolution system for impersonation etc. provided by the registry. If this is an attempt to add another dispute resolution system that circumvents (foreign) registries, then it's terribly underhanded and would create problems worse than the one it solves (the original domain holder would still have valid certs for their domain and likely be able to renew them, so if they could present them they could be same origin with the new domain holder).
The Annex IV you pointed at it very lackadaisical and doesn't resolve my concerns:
> Qualified certificates for website authentication shall contain:
> (e) the domain name(s) operated by the natural or legal person to whom the certificate is issued;
@kravietz @Natanox @europarl_en @EU_Commission
I mentioned the case of a cert where everything is fine apart from the domainname in subject name/subject alternative name, which you don't address.
@kravietz @Natanox @europarl_en @EU_Commission
Any valid HTTPS cert is, possibly among others, a DV cert. If you present a cert with no domain name, IIRC the client must reject it.
HTTPS also does not have a concept of a cert where different root CAs attest different parts of it. So, we'd need to trust domain names from certs issues by these CAs or not trust them at all. So that regulation forces browsers to trust domain names from certs issued by those CAs.
I don't know whether regulations that those CAs are obliged to obey would penalize them for minting a cert with all EV-like properties valid, but a completely bizarre/unverified domain name.
> EU TSL roots would only sign QWAC certificates, which by their specification cannot be DV.
Do you mean that them signing a pure DV cert would be misissuance that can be penalized?
@kravietz @Natanox @europarl_en @EU_Commission
So, the new EU regulation forces browsers to trust these CAs for DV, and you're saying that the regulations these CAs are held up to does not apply to their activity when they mint purely DV certs. For reasons of multiheaded cert chains being ~unsupported there is no distinction between trusting for EV and trusting for DV+EV. Am I missing something?
@kravietz @Natanox @europarl_en @EU_Commission
Would they apply to issuance of pure DV certs?
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
