[Standards] Re: LAST CALL: XEP-0440 (SASL Channel-Binding Type Capability)

I am going to reply to Dave's post in an attempt to get the discussion back on track. Because, right now, it got a bit derailed by the assumption that XEP-0440 requires tls-server-endpoint just for the sake of it (at least, that is my impression). On 20/10/2025 12.46, Dave Cridland wrote: Actually the rationale for doing so is provided in the beginning of the "Security Considerations" section (right before the tls-server-endpoint requirement is stated). IIRC ca. 2022 Thilo (in CC) made a case that a mutual shared cb-type improves the security. And the lowest common denominator simply is tls-server-endpoint, which is what we want servers to support and annouce to achieve the goal of a mutual shared cb-type. If a am not mistaken, this was also discussed on the standard@ mailing list. Reading the current last call discussion, I don't get the impression that this previous discussion and the provided arguments are taken into account. Don't get me wrong. I do not plan to object whatever decision we are going to make. But those who want to change the XEP (again) should explain why the arguments back then are not, or no longer, valid. It is preferable, isn't it? - Flow