On 08.02.19 07:23, Marcel Waldvogel wrote: > I just became aware that XEP-0412/RFC 6120 mandate SCRAM-SHA-1-PLUS. The > way I understand it, the required TLS Channel Binding for the SASL -PLUS > schemes is not possible from browser-based clients, as there is no way > to get at the required low-level TLS information. > > Would it be possible to grant an exemption to the -PLUS requirement for > browser-based clients? I.e., have a footnote behind "RFC 6120" > consisting of "The mandatory-to-implement requirement of > SCRAM-SHA-1-PLUS is waved for clients operating in environments where > access to TLS information is not possible, i.e. browsers"?
RFCs can be modified. But this is possibly a point for 6120bis (the potential follow up RFC of RFC 6120). On the other hand, it is probably not a real world issue, as the ecosystem will adopt (and has AFAIKT). The only consequence is that your software may not claim full standards compliance, but this is usually only an issue if you want to sell the product and you have a manager which demands standards compliance - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
