On 7/21/20 8:28 PM, Dave Cridland wrote: > > > On Tue, 21 Jul 2020 at 18:57, Florian Schmaus <[email protected] > <mailto:[email protected]>> wrote: > > Based on the discussion in this thread, I suggest the following changes > > http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html#sasl-mech-interaction > > > Is it worth making tls-server-endpoint an MTI for XEP-0440? > > It is, as you note, trivial to implement, and as we always chant, MTI is > Mandatory to Implement, not Mandatory to Deploy. > > But it means anything using XEP-0440 MUST implement (and PROBABLY SHOULD > deploy) a common binding that's reasonably well understood, provides > someĀ significant protection, and is easy to implement. If it turns out > we really need something better later, we can review and change the MTI. > > It also means that if it is not offered, one assumes the server > administrator has some very good reasons for doing so.
That is a good point. How about: As further mitigation, it is RECOMMENDED to implement the channel-binding type tls-server-end-point (RFC 5929 [6]) to increase the probability of a mutual supported channel-binding type. Updated diff at: http://geekplace.eu/xeps/xep-sasl-cb-types/diff.html - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
