22 Oct
2025
22 Oct
'25
4:28 p.m.
What has changed in the 5 years since we discussed
this is a perception of
what that mechanism should be.
The alternative to forever enshrining 'endpoint' as a MUST would simply be
to discuss - in non normative language - the trade off between supporting
something very widely implementable like endpoint and something like
exporter.
No, that won't work. It *must* be something every client and server
implementing channel-binding would be able to implement *and* offer/use. And as
of today I don't know of any other channel-binding that can be used everywhere
(even when using load-balancers etc).
In general, I think we should create security for today, not for a
hypothetical future. We can always update/depreciate this MUST via a new XEP
if there ever emerges a channel binding type with the same ubiquitous
properties.
-tmolitor