[Standards] Channel binding and token authentication
daniel at gultsch.de
Tue Sep 27 07:38:31 UTC 2022
On Mon, Sep 26, 2022 at 7:28 PM Matthew Wild <mwild1 at gmail.com> wrote:
> The current specs say that channel binding is a mandatory requirement.
> However this excludes web clients from using the mechanisms, even
> though they would be one of the key client groups to benefit from
> being able to exchange passwords for tokens. Meanwhile, I believe that
> the security gained by channel binding in XMPP is minimal, at best.
> Does anyone have objections to proceeding with the definition of one
> or more HT-*-NONE mechanisms for token authentication?
FWIW I think channel binding has some interesting security properties -
especially once we have device specif tokens that can be stored relatively
securely one a device.
But I agree that it should be optional; I already said this in the ISR
thread: There are plenty of scenarios where channel binding is not an
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards