I've sketched out a proposal to either allow, or improve (depending on how you think of it) the initiating entity's ability to pipeline authentication (as in, send it without having waited for stream features it's seen before).

XEP-0484 (FAST) implies very strongly that this is possible anyway - and of course it is - but in its current form clients have to take it on faith that the stream features are unlikely to change. This has ramifications in how quickly clients are likely to take advantage of new features or new SASL mechanisms.

As an example, a client which already supports channel bindings, and is using FAST with a pre-existing token, will not see the features of a server newly enabling channel binding until after the authentications has succeeded, thus "missing out" on switching to the better security.

https://github.com/xsf/xeps/pull/1483 is, I think, the obvious way of tightening this up. This is a relatively minor problem, but I think this is a relatively lightweight solution.

Comments are, of course, welcome.

Dave.