11 Jan
2024
11 Jan
'24
5:48 a.m.
Hi Simon,
thanks for your mail.
On 11/01/2024 13.39, Holger Weiß wrote:
* Simon Josefsson <simon(a)josefsson.org>
[2024-01-11 13:10]:
Additionally, implementing tls-server-end-point demands minimal effort
since it is just based on the hash of the certificate. I believe that
not making it mandatory won't deter anyone who is inclined to implement
it, as it is a low hanging fruit.
Furthermore, we hope to achieve a high success rate by making it
mandatory to implement for servers.
You are correct, one should aim for better altnatives than
tls-server-end-point when implementing XEP-0440, and this should be
explicitly mentioned in the XEP. As it stands, the XEP does not clearly
convey this. I intend to propose a revision to rectify this in the near
future.
- Flow
I believe tls-server-end-point is generally best
left unimplemented to
guide efforts towards supporting the stronger tls-exporter.
One use case I see for tls-server-end-point is that it allows for
supporting channel binding by setups where TLS is terminated by some
reverse proxy, thereby protecting against _some_ but not all attack
vectors that tls-exporter protects against.