Hi Simon, > since tls-unique has known weaknesses: > https://datatracker.ietf.org/doc/html/rfc9266#section-1 That might be true, but all reasonable implementations of TLS 1.2 nowadays use the extended master secret. For example OpenSSL 1.1.0 released in August 2016. So I'm inclined to consider this an issue fixed long ago.
> and doesn't work with TLS 1.3, so tls-unique requires TLS 1.2 which is > generally less secure than TLS 1.3. Where do you take that from? Afaik TLS 1.2 isn't less secure than TLS 1.3 (but a bit slower regarding connection establishment). But if you could provide some pointers, I would be happy to be corrected. -tmolitor > > Daniel Gultsch <[email protected]> writes: > > Hi, > > > > with my editor hat on please note that a new version of this XEP has > > been published that should address some of the concerns. > > Also with my editor hat on I’m taking the liberty to extend the LC by > > another week to give people time to review the new version. > > > > With my council hat on I’m considering the endpoint v exporter > > concerns addressed. This is both due to the new Business rules that > > clearly outline the benefits of a common (minimum) binding mechanism > > and due to some discussions that happened in the kitten WG. The > > (somewhat related) discussion on Kitten revolved around deprecating > > endpoint in favor exporter at which multiple people spoke out against > > this. > > > > cheers > > Daniel > > _______________________________________________ > > Standards mailing list -- [email protected] > > To unsubscribe send an email to [email protected] _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
