4 Feb
2025
4 Feb
'25
8:02 a.m.
1. Is this specification needed to fill gaps in the
XMPP protocol
stack or to clarify an existing protocol?
Yes.
2. Does the specification solve the problem stated in
the introduction
and requirements?
Yes.
3. Do you plan to implement this specification in your
code? If not,
why not?
Yes.
4. Do you have any security concerns related to this
specification?
I don't love that the suggested SASL mechanisms have no protection against
tokens being stolen and re-used via MITM, but this could be solved by using
SCRAM in implementations which is not forbidden.
5. Is the specification accurate and clearly written?
I do not particularly like at all having the SASL mechanisms for FAST
specified completely seperately. I do sort of understand the reason it was
does, but it's not generic at all. For example if I want do (and I do want
to) support "app passwords" I need to solve the same problems (select which
credential is being used, specify which SASL mechanisms can be used for
which credential) but I wouldn't be able to re-use the solution FAST uses
and would need yet another third solution.