Re: [Standards] Channel binding and token authentication
Sep 26, 2022 7:42:48 AM Kevin Smith : > -- Original Message -- > From: "Matthew Wild" > To: "XMPP Standards" > Sent: 26/09/2022 18:24:37 > Subject: [Standards] Channel binding and token authentication > >> Does anyone have objections to proceeding with the definition of one >> or more HT-*-NONE mechanisms for token authentication? > > Seems entirely sensible to me. I agree. (Selfishly, as the author of a proxy that would break channel binding) ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] Channel binding and token authentication
-- Original Message -- From: "Matthew Wild" To: "XMPP Standards" Sent: 26/09/2022 18:24:37 Subject: [Standards] Channel binding and token authentication Does anyone have objections to proceeding with the definition of one or more HT-*-NONE mechanisms for token authentication? Seems entirely sensible to me. /K ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
[Standards] Channel binding and token authentication
Hi folks, I'm continuing work on authentication[1]. While fleshing out a plan for token authentication in SASL2, I provided feedback to Florian a few days ago that we need a new SASL HT- mechanism without channel binding ( https://datatracker.ietf.org/doc/html/draft-schmaus-kitten-sasl-ht-07 ). He suggested I bring up the topic on the list, so here I am. The current specs say that channel binding is a mandatory requirement. However this excludes web clients from using the mechanisms, even though they would be one of the key client groups to benefit from being able to exchange passwords for tokens. Meanwhile, I believe that the security gained by channel binding in XMPP is minimal, at best. Does anyone have objections to proceeding with the definition of one or more HT-*-NONE mechanisms for token authentication? Regards, Matthew [1]: https://docs.modernxmpp.org/projects/auth/ ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___