On 24 January 2017 at 20:13, Travis Burtrum <[email protected]> wrote: > On 01/24/2017 10:20 AM, Sam Whited wrote: >> I agree with Zash, they're equivalant; 6120 says >> that even if STARTTLS isn't advertised you should attempt it, and this >> is the same thing. Falling back to plain is a bad idea, but it's a >> matter of client policy. > > I still disagree, I know in the wild you will find poorly written > clients and servers that fall back to plain text when confronted with > STARTTLS stripping, but you will NEVER find software that falls back to > plaintext over direct TLS, because it's simply not possible. > > Also I just realized the XEP already spells this out explicitly: > > "TLS provides more security than STARTTLS if RFC 7590 [4] is not > followed, as it isn't subject to STARTTLS stripping." > > Referring to where 7590 talks about stripping here > https://tools.ietf.org/html/rfc7590#section-3.1 > > Is that sentence as written not correct?
So, what you're saying is that buggy clients are less secure than non-buggy ones? You can certainly have that, but I don't see why it belongs in a spec... Dave. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
