[Standards] NEW: XEP-0440 (SASL Channel-Binding Type Capability)

Ruslan N. Marchenko me at ruff.mobi
Tue Jul 21 20:02:09 UTC 2020


Am Dienstag, den 21.07.2020, 19:28 +0100 schrieb Dave Cridland:
> On Tue, 21 Jul 2020 at 18:57, Florian Schmaus <flo at geekplace.eu>
> wrote:
> > Based on the discussion in this thread, I suggest the following
> > changes
> > 
> > 
> > 
> > http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html#sasl-mech-interaction
> 
> Is it worth making tls-server-endpoint an MTI for XEP-0440?
> 
> 
> It is, as you note, trivial to implement, and as we always chant, MTI
> is Mandatory to Implement, not Mandatory to Deploy.
> 
> But it means anything using XEP-0440 MUST implement (and PROBABLY
> SHOULD deploy) a common binding that's reasonably well understood,
> provides some  significant protection, and is easy to implement. If
> it turns out we really need something better later, we can review and
> change the MTI.
> 
> It also means that if it is not offered, one assumes the server
> administrator has some very good reasons for doing so.
> 
I'd second that. The main driver for this xep I believe is to break the
tie of the tls-unique'ness which by various factors became the one and
only commonly accepted and utterly broken binding mechanism (I hear the
conspiracy whispers).  And to make other mechanisms possible by being
negotiable. 
tls-server-end-point on the other hand while being susceptible to pre-
image attacks is still laughably easy to implement and provides decent
'better-than-nothing' security.
--rr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200721/d67f7d88/attachment-0001.html>


More information about the Standards mailing list