[Standards] Channel binding and token authentication

Daniel Gultsch daniel at gultsch.de
Tue Sep 27 07:38:31 UTC 2022


On Mon, Sep 26, 2022 at 7:28 PM Matthew Wild <mwild1 at gmail.com> wrote:

>
> The current specs say that channel binding is a mandatory requirement.
> However this excludes web clients from using the mechanisms, even
> though they would be one of the key client groups to benefit from
> being able to exchange passwords for tokens. Meanwhile, I believe that
> the security gained by channel binding in XMPP is minimal, at best.
>
> Does anyone have objections to proceeding with the definition of one
> or more HT-*-NONE mechanisms for token authentication?
>
>
FWIW I think channel binding has some interesting security properties -
especially once we have device specif tokens that can be stored relatively
securely one a device.

But I agree that it should be optional; I already said this in the ISR
thread: There are plenty of scenarios where channel binding is not an
option.

cheers
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20220927/526d86e5/attachment.html>


More information about the Standards mailing list