On Mon, Jan 13, 2025 at 12:50 PM Daniel Gultsch <[email protected]> wrote: > > This message constitutes notice of a Last Call for comments on > XEP-0484. > > Title: Fast Authentication Streamlining Tokens > Abstract: > This specification defines a token-based method to streamline > authentication in XMPP, allowing fully authenticated stream > establishment within a single round-trip. > > URL: https://xmpp.org/extensions/xep-0484.html > > This Last Call begins today and shall end at the close of business on > 2025-01-27. > > Please consider the following questions during this Last Call and send > your feedback to the [email protected] discussion list: > > 1. Is this specification needed to fill gaps in the XMPP protocol > stack or to clarify an existing protocol?
Yes. Making login/resumption faster is important and FAST is the last building block in the new SASL2/Bind 2 stack that isn’t stable yet. > 2. Does the specification solve the problem stated in the introduction > and requirements? yes > 3. Do you plan to implement this specification in your code? If not, > why not? Yes it’s implemented in Conversations > 4. Do you have any security concerns related to this specification? Yes. I think the section 3.2 as well as the security considerations are missing text that instruct developers not to downgrade their channel binding method compared to their normal login method. Meaning when logged in with SCRAM-SHA1-PLUS/exporter only tokens that use an equivalent or better channel binding mechanism should be requested and/or excepted. The channel bindings for normal login are protected via XEP-0474: SASL SCRAM Downgrade Protection while the fast mechanisms are not covered by this. That’s fine if and only if we add language to 484 saying that clients should not request anything weaker than used during login. > 5. Is the specification accurate and clearly written? Yes _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
