[Standards] Channel binding and token authentication

Dave Cridland dave at cridland.net
Tue Sep 27 08:44:12 UTC 2022


On Tue, 27 Sept 2022 at 08:39, Daniel Gultsch <daniel at gultsch.de> wrote:

> But I agree that it should be optional; I already said this in the ISR
> thread: There are plenty of scenarios where channel binding is not an
> option.
>

 Before committing to this, some observations:

- HT-*-NONE is needed for cases where there's no TLS at all. These are
rare, but there's legitimate cases where this is a sensible choice.
- Channel bindings can be used in cases where TLS is terminated in advance
by either:
  - Using TLS Endpoint channel bindings, which merely mean the XMPP server
needs to know the certificate which is to be used, or
  - Just going through the motions and blindly accepting the client's
channel binding choice, perhaps most sensibly by again using
tls-server-end-point

So I'm not *against* a HT-*-NONE, but I wonder if we should promote the
second bullet-point above the first?

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20220927/c3bce38a/attachment.html>


More information about the Standards mailing list