Hi folks, I'm continuing work on authentication[1]. While fleshing out a plan for token authentication in SASL2, I provided feedback to Florian a few days ago that we need a new SASL HT- mechanism without channel binding ( https://datatracker.ietf.org/doc/html/draft-schmaus-kitten-sasl-ht-07 ). He suggested I bring up the topic on the list, so here I am.
The current specs say that channel binding is a mandatory requirement. However this excludes web clients from using the mechanisms, even though they would be one of the key client groups to benefit from being able to exchange passwords for tokens. Meanwhile, I believe that the security gained by channel binding in XMPP is minimal, at best. Does anyone have objections to proceeding with the definition of one or more HT-*-NONE mechanisms for token authentication? Regards, Matthew [1]: https://docs.modernxmpp.org/projects/auth/ _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
