[Standards] NEW: XEP-0440 (SASL Channel-Binding Type Capability)

Florian Schmaus flo at geekplace.eu
Sun Jul 26 16:57:19 UTC 2020


On 7/21/20 8:28 PM, Dave Cridland wrote:
> 
> 
> On Tue, 21 Jul 2020 at 18:57, Florian Schmaus <flo at geekplace.eu
> <mailto:flo at geekplace.eu>> wrote:
> 
>     Based on the discussion in this thread, I suggest the following changes
> 
>     http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html#sasl-mech-interaction
> 
> 
> Is it worth making tls-server-endpoint an MTI for XEP-0440?
> 
> It is, as you note, trivial to implement, and as we always chant, MTI is
> Mandatory to Implement, not Mandatory to Deploy.
> 
> But it means anything using XEP-0440 MUST implement (and PROBABLY SHOULD
> deploy) a common binding that's reasonably well understood, provides
> some  significant protection, and is easy to implement. If it turns out
> we really need something better later, we can review and change the MTI.
> 
> It also means that if it is not offered, one assumes the server
> administrator has some very good reasons for doing so.

That is a good point.

How about:

As further mitigation, it is RECOMMENDED to implement the
channel-binding type tls-server-end-point (RFC 5929 [6]) to increase the
probability of a mutual supported channel-binding type.


Updated diff at:
http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html


- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200726/d58e07cf/attachment.sig>


More information about the Standards mailing list