[Standards] Advance XEP-0368 to Proposed
dave at cridland.net
Tue Jan 24 20:27:10 UTC 2017
On 24 January 2017 at 20:13, Travis Burtrum <travis at burtrum.org> wrote:
> On 01/24/2017 10:20 AM, Sam Whited wrote:
>> I agree with Zash, they're equivalant; 6120 says
>> that even if STARTTLS isn't advertised you should attempt it, and this
>> is the same thing. Falling back to plain is a bad idea, but it's a
>> matter of client policy.
> I still disagree, I know in the wild you will find poorly written
> clients and servers that fall back to plain text when confronted with
> STARTTLS stripping, but you will NEVER find software that falls back to
> plaintext over direct TLS, because it's simply not possible.
> Also I just realized the XEP already spells this out explicitly:
> "TLS provides more security than STARTTLS if RFC 7590  is not
> followed, as it isn't subject to STARTTLS stripping."
> Referring to where 7590 talks about stripping here
> Is that sentence as written not correct?
So, what you're saying is that buggy clients are less secure than
You can certainly have that, but I don't see why it belongs in a spec...
More information about the Standards