On Mon, Sep 26, 2022 at 7:28 PM Matthew Wild <[email protected]> wrote:
> > The current specs say that channel binding is a mandatory requirement. > However this excludes web clients from using the mechanisms, even > though they would be one of the key client groups to benefit from > being able to exchange passwords for tokens. Meanwhile, I believe that > the security gained by channel binding in XMPP is minimal, at best. > > Does anyone have objections to proceeding with the definition of one > or more HT-*-NONE mechanisms for token authentication? > > FWIW I think channel binding has some interesting security properties - especially once we have device specif tokens that can be stored relatively securely one a device. But I agree that it should be optional; I already said this in the ISR thread: There are plenty of scenarios where channel binding is not an option. cheers Daniel
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
