Thilo, sorry!

I had somehow missed that SASL2 mandates XEP-0440. It makes a lot of sense.

But...

Openfire currently doesn't support any channel bindings.

It is sometimes used in cases where there is no TLS at all. This is quite deliberate and sensible in this case, please don't argue with this! This means there will always be cases where there are no channel bindings available (because there's no channel to bind to!).

The schema doesn't include a minOccurs, and that means minOccurs='1' by default. This means at least one channel binding MUST be included. Is this intentional?

I appreciate this is an oddball case (and I can support tls-server-endpoint for most normal cases), but is this the intent here or was the expectation that the minOccurs should be '0'?

(I know tls-server-endpoint MUST be implemented, but MTI is not MTD etc).

Dave.