[Standards] Channel binding and token authentication

Matthew Wild mwild1 at gmail.com
Mon Sep 26 17:24:37 UTC 2022

Hi folks,

I'm continuing work on authentication[1]. While fleshing out a plan
for token authentication in SASL2, I provided feedback to Florian a
few days ago that we need a new SASL HT- mechanism without channel
binding ( https://datatracker.ietf.org/doc/html/draft-schmaus-kitten-sasl-ht-07
). He suggested I bring up the topic on the list, so here I am.

The current specs say that channel binding is a mandatory requirement.
However this excludes web clients from using the mechanisms, even
though they would be one of the key client groups to benefit from
being able to exchange passwords for tokens. Meanwhile, I believe that
the security gained by channel binding in XMPP is minimal, at best.

Does anyone have objections to proceeding with the definition of one
or more HT-*-NONE mechanisms for token authentication?


[1]: https://docs.modernxmpp.org/projects/auth/

More information about the Standards mailing list