On 08.02.19 08:24, Florian Schmaus wrote: > On 08.02.19 07:23, Marcel Waldvogel wrote: >> I just became aware that XEP-0412/RFC 6120 mandate SCRAM-SHA-1-PLUS. The >> way I understand it, the required TLS Channel Binding for the SASL -PLUS >> schemes is not possible from browser-based clients, as there is no way >> to get at the required low-level TLS information. >> >> Would it be possible to grant an exemption to the -PLUS requirement for >> browser-based clients? I.e., have a footnote behind "RFC 6120" >> consisting of "The mandatory-to-implement requirement of >> SCRAM-SHA-1-PLUS is waved for clients operating in environments where >> access to TLS information is not possible, i.e. browsers"? > > RFCs can be modified. But this is possibly a point for 6120bis (the > potential follow up RFC of RFC 6120).
I just realized that you likely want to add footnote the 2019 Compliance Suites (aka XEP-0412) and not RFC 6120. I do not have a strong opinion on this, but like to note that I would prefer the environments to lift the limitation instead of making an exception in the specification. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
