On Wed, Feb 15, 2017 at 8:32 AM, Travis Burtrum <tra...@burtrum.org> wrote: > "All security setup and certificate validation code SHOULD be shared > between the STARTTLS and direct TLS logic as well."
These aren't the issues you're likely to hit though; I can't imagine anyone actually using different TLS code for STARTTLS vs. doing it direct. The issues you're likely to hit are logic bugs when trying to decide between direct/start-TLS that cause you to have a path that lets you fall back to plain without actually negotiating TLS at all. That beings aid, I am all for this spec, I just think some of its security claims need to be rewritten before it is accepted. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________