On Mon, Oct 20, 2025 at 12:47 PM Dave Cridland <[email protected]> wrote: > Stock Java still doesn't support tls-exporter. You can use Bouncy Castle, > though (and even unto FIPS), and get access - if local policy allows, which > it might not. Otherwise you're stuck with tls-server-endpoint - which is > still better than nothing of course.
I’m reading this as an argument on why this XEP should exits (Allowing the server to announce what channel binding features it supports), rather then an argument that the security considerations should keep requiring endpoint. > The web browser doesn't support anything useful at all, you're entirely out > for channel binding - and therefore may wish to support "non channel binding" > versions. FWIW WebTransport is close to ready and has exporter support. > Any server operating behind a load balancer that terminates TLS cannot do > anything but tls-server-endpoint, of course. Someone apparently has a prototype that transmits the exporter bytes from the TLS termination proxy to the XMPP server via proxy protocol... But yes, giving people the option to do endpoint is certainly desired. _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
