[Standards] Re: LAST CALL: XEP-0440 (SASL Channel-Binding Type Capability)

Thanks for the rewrite! While I still think this is a lost opportunity to mandate 'tls-exporter' for the XMPP eco-system, I think the new text is reasonable and does encourage use of 'tls-exporter'. This all still feels to me similar that we mandate DES or RC4 because there are some environments that doesn't implement AES. I think at some point, the reasonable reaction isn't to mandate DES/RC4 but to say "sorry, you really ought to change and use AES". But I also realize there are different view-points on this, and the text seems like a reasonable compromise. However, I suggest to drop 'or tls-unique' from this sentence: Tls-server-end-point was picked, because it is the lowest denominator that can be implemented by virtually everyone and even though it isn't as strong as tls-exporter or tls-unique, since tls-unique has known weaknesses: https://datatracker.ietf.org/doc/html/rfc9266#section-1 and doesn't work with TLS 1.3, so tls-unique requires TLS 1.2 which is generally less secure than TLS 1.3. Thus, I think that in some environments, even tls-server-end-point could be considered more secure than tls-unique. If people migrate away from tls-server-end-point, they should migrate to tls-exporter, and not consider tls-unique. I think the sentence gives the wrong impression regarding this. /Simon Daniel Gultsch <daniel(a)gultsch.de> writes: