[Standards] NEW: XEP-0440 (SASL Channel-Binding Type Capability)

Ruslan N. Marchenko me at ruff.mobi
Thu Jul 16 11:08:40 UTC 2020


Am Donnerstag, den 16.07.2020, 10:33 +0000 schrieb Daniel Gultsch:
> Am Do., 16. Juli 2020 um 10:13 Uhr schrieb Florian Schmaus <
> flo at geekplace.eu>:
> 
> > If you send 'y', which implies that you, the client, did not select
> > a
> > -PLUS mechanism for authentication, while the server announces at
> > least
> > one SCRAM-*-PLUS mechanism, then the server may suspect a MitM
> > attack
> > and terminates the connection.
> 
> Yes. But that's the desired behaviour, no?
Desired by MitM, yes :)
I'd rather suggest if no matching methods are found just ignore the the
hint and do tls-unique (as you would do in absence of this method) or
any other method you support instead in local preference order (eg tls-
exporter, then tsl-server-end-point, etc.).

--rr



More information about the Standards mailing list