[Standards] Channel Binding with TLS 1.3

Sam Whited sam at samwhited.com
Fri May 1 16:25:04 UTC 2020

Hi all,

As you may be aware, the channel binding mechanisms used in SCRAM-SHA-1-
PLUS have some caveats in how they can be used. In particular,
weaknesses in TLS 1.2 around renegotiation and the TLS master secret
make them unusable in  some implementations without the TLS master
secret fix, and they aren't defined at all for TLS 1.3.

To remedy this I have been considering what a new channel binding
mechanism that works with TLS 1.3 might look like and have defined one
in the following I-D (which has not yet been accepted or reviewed by the
IETF, I just uploaded it so that I could send an email to the working
group and link to the idea):


It still has some caveats around using it with older versions of TLS,
but I think it's an improvement on the state of the art all the same and
would love to get your feedback since it's primarily being defined for
use in XMPP.


Sam Whited

More information about the Standards mailing list