22 Oct
2025
22 Oct
'25
11:29 a.m.
I am going to reply to Dave's post in an attempt to get the discussion
back on track. Because, right now, it got a bit derailed by the
assumption that XEP-0440 requires tls-server-endpoint just for the sake
of it (at least, that is my impression).
On 20/10/2025 12.46, Dave Cridland wrote:
Yes, the MTI advice in this document is indeed a bit
weird. tls-server-
endpoint is MUST, but with little background information,
Actually the rationale for doing so is provided in the beginning of the
"Security Considerations" section (right before the tls-server-endpoint
requirement is stated).
IIRC ca. 2022 Thilo (in CC) made a case that a mutual shared cb-type
improves the security. And the lowest common denominator simply is
tls-server-endpoint, which is what we want servers to support and
annouce to achieve the goal of a mutual shared cb-type. If a am not
mistaken, this was also discussed on the standard@ mailing list.
Reading the current last call discussion, I don't get the impression
that this previous discussion and the provided arguments are taken into
account.
Don't get me wrong. I do not plan to object whatever decision we are
going to make. But those who want to change the XEP (again) should
explain why the arguments back then are not, or no longer, valid.
but it then goes on to say that tls-exporter is
preferable.
It is preferable, isn't it?
- Flow