On Fri, Feb 8, 2019 at 9:23 AM, Marcel Waldvogel
<[email protected]> wrote:
I just became aware that XEP-0412/RFC 6120 mandate SCRAM-SHA-1-PLUS.
The way I understand it, the required TLS Channel Binding for the
SASL -PLUS schemes is not possible from browser-based clients, as
there is no way to get at the required low-level TLS information.
Yes, the -PLUS extension is just an abstraction leakage, and current
use cases (browsers, load-balancers, etc) clearly reveal it. I myself
don't like the tendency how TLS is leaking into upper application
layers more and more (SNI, ALPN and now various IDs).
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
