[Standards] NEW: XEP-0440 (SASL Channel-Binding Type Capability)

Ruslan N. Marchenko me at ruff.mobi
Thu Jul 16 11:14:15 UTC 2020


Am Donnerstag, den 16.07.2020, 13:08 +0200 schrieb Ruslan N. Marchenko:
> Am Donnerstag, den 16.07.2020, 10:33 +0000 schrieb Daniel Gultsch:
> > Am Do., 16. Juli 2020 um 10:13 Uhr schrieb Florian Schmaus <
> > flo at geekplace.eu>:
> > 
> > > If you send 'y', which implies that you, the client, did not
> > > select
> > > a
> > > -PLUS mechanism for authentication, while the server announces at
> > > least
> > > one SCRAM-*-PLUS mechanism, then the server may suspect a MitM
> > > attack
> > > and terminates the connection.
> > 
> > Yes. But that's the desired behaviour, no?
> Desired by MitM, yes :)

Sorry I misread (and misinterpreted) the comment as to say n is desired
behaviour.
Yes, y is would be kind of safest but sending y when both sides know
-PLUS is there is as good as client just aborts the connection. Which
could be an option actually.

> I'd rather suggest if no matching methods are found just ignore the
> the
> hint and do tls-unique (as you would do in absence of this method) or
> any other method you support instead in local preference order (eg
> tls-
> exporter, then tsl-server-end-point, etc.).
> 
> --rr
> 
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________
> 



More information about the Standards mailing list