Is there a session binding (-PLUS) mechanism that works with TLSv1.3 and is not considered insecure?
Am Do., 24. Jan. 2019 um 18:16 Uhr schrieb Dave Cridland <[email protected]>: > > There's an ongoing discussion about > https://datatracker.ietf.org/doc/draft-ietf-mile-xmpp-grid/ - a document > currently about to be voted on by the IESG - which includes a slightly > different set of SASL mechanisms as Mandatory To Implement. > > Our current MTI is from RFC 6120, and can be summarized as: > > Servers MUST implement EXTERNAL, SCRAM-SHA1 and SCRAM-SHA1-PLUS. > Client MUST implement SCRAM-SHA1 and SCRAM-SHA1-PLUS, and SHOULD implement > EXTERNAL and PLAIN (the latter so servers can support some pre-existing > authentication systems). > > XMPP-Grid (that draft) essentially says both servers and clients MUST > implement EXTERNAL, SCRAM-SHA1, SCRAM-SHA1-PLUS, SCRAM-SHA-256, and > SCRAM-SHA-256-PLUS. > > Is there any interest in updating our MTI? > > I would imagine any work would need to be done in the IETF, in conformance > with their "Note Well". > > Dave. > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: [email protected] > _______________________________________________ _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
