Am Dienstag, den 21.07.2020, 19:28 +0100 schrieb Dave Cridland: > On Tue, 21 Jul 2020 at 18:57, Florian Schmaus <[email protected]> > wrote: > > Based on the discussion in this thread, I suggest the following > > changes > > > > > > > > http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html#sasl-mech-interaction > > Is it worth making tls-server-endpoint an MTI for XEP-0440? > > > It is, as you note, trivial to implement, and as we always chant, MTI > is Mandatory to Implement, not Mandatory to Deploy. > > But it means anything using XEP-0440 MUST implement (and PROBABLY > SHOULD deploy) a common binding that's reasonably well understood, > provides some significant protection, and is easy to implement. If > it turns out we really need something better later, we can review and > change the MTI. > > It also means that if it is not offered, one assumes the server > administrator has some very good reasons for doing so. > I'd second that. The main driver for this xep I believe is to break the tie of the tls-unique'ness which by various factors became the one and only commonly accepted and utterly broken binding mechanism (I hear the conspiracy whispers). And to make other mechanisms possible by being negotiable. tls-server-end-point on the other hand while being susceptible to pre- image attacks is still laughably easy to implement and provides decent 'better-than-nothing' security. --rr
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
