Hi Simon, thanks for your mail.
On 11/01/2024 13.39, Holger Weiß wrote:
* Simon Josefsson <si...@josefsson.org> [2024-01-11 13:10]:I believe tls-server-end-point is generally best left unimplemented to guide efforts towards supporting the stronger tls-exporter.One use case I see for tls-server-end-point is that it allows for supporting channel binding by setups where TLS is terminated by some reverse proxy, thereby protecting against _some_ but not all attack vectors that tls-exporter protects against.
Additionally, implementing tls-server-end-point demands minimal effort since it is just based on the hash of the certificate. I believe that not making it mandatory won't deter anyone who is inclined to implement it, as it is a low hanging fruit.
Furthermore, we hope to achieve a high success rate by making it mandatory to implement for servers.
You are correct, one should aim for better altnatives than tls-server-end-point when implementing XEP-0440, and this should be explicitly mentioned in the XEP. As it stands, the XEP does not clearly convey this. I intend to propose a revision to rectify this in the near future.
- Flow
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list -- standards@xmpp.org To unsubscribe send an email to standards-le...@xmpp.org