On 31.01.19 16:58, Jonas Schäfer wrote: > 3. We should mention in the security considerations that clients should be > careful which requests they include in the initial <authenticate/> especially > when no transport security is in use; if the SASL method allows mutual > authentication (e.g. SCRAM), a client might find that they’re not actually > connected to the server and have just sent possibly private data to them.
It possibly can't hurt to also specify that a server, who detected a (potential) MitM by the means provided by the SASL layer, should also drop the SM state. But I feel like this should go into xep198's security considerations. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
