[Standards] Advance XEP-0368 to Proposed

Sam Whited sam at samwhited.com
Tue Jan 24 15:20:21 UTC 2017


On Tue, Jan 24, 2017 at 7:38 AM, Travis Burtrum <travis at burtrum.org> wrote:
> But you basically said it yourself, "Direct" TLS and STARTTLS are
> equivalent security-wise ONLY IF you attempt STARTTLS regardless of
> offer and give up with a security exception otherwise.  That behavior is
> enforced with direct TLS, therefore they are not equivalent.

Only if you specify a default port to attempt connections on (as was
discussed earlier). I agree with Zash, they're equivalant; 6120 says
that even if STARTTLS isn't advertised you should attempt it, and this
is the same thing. Falling back to plain is a bad idea, but it's a
matter of client policy.

—Sam


More information about the Standards mailing list