I just became aware that XEP-0412/RFC 6120 mandate SCRAM-SHA-1-PLUS. The way I understand it, the required TLS Channel Binding for the SASL -PLUS schemes is not possible from browser-based clients, as there is no way to get at the required low-level TLS information.
Would it be possible to grant an exemption to the -PLUS requirement for browser-based clients? I.e., have a footnote behind "RFC 6120" consisting of "The mandatory-to-implement requirement of SCRAM-SHA-1- PLUS is waved for clients operating in environments where access to TLS information is not possible, i.e. browsers"? -Marcel
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
