On 20/10/2025 12.46, Dave Cridland wrote:
Yes, the MTI advice in this document is indeed a bit weird. tls-server- endpoint is MUST, but with little background information,
Actually the rationale for doing so is provided in the beginning of the "Security Considerations" section (right before the tls-server-endpoint requirement is stated).
IIRC ca. 2022 Thilo (in CC) made a case that a mutual shared cb-type improves the security. And the lowest common denominator simply is tls-server-endpoint, which is what we want servers to support and annouce to achieve the goal of a mutual shared cb-type. If a am not mistaken, this was also discussed on the standard@ mailing list.
Reading the current last call discussion, I don't get the impression that this previous discussion and the provided arguments are taken into account.
Don't get me wrong. I do not plan to object whatever decision we are going to make. But those who want to change the XEP (again) should explain why the arguments back then are not, or no longer, valid.
but it then goes on to say that tls-exporter is preferable.
It is preferable, isn't it? - Flow
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
