On Thu, 11 Jan 2024 at 12:39, Holger Weiß <hol...@zedat.fu-berlin.de> wrote:
> * Simon Josefsson <si...@josefsson.org> [2024-01-11 13:10]: > >I believe tls-server-end-point is generally best left unimplemented to > >guide efforts towards supporting the stronger tls-exporter. > > One use case I see for tls-server-end-point is that it allows for > supporting channel binding by setups where TLS is terminated by some > reverse proxy, thereby protecting against _some_ but not all attack > vectors that tls-exporter protects against. I'm pretty sure this was a key reason we picked the approach. If TLS is terminated before the server ever sees it, the server can still be configured to handle tls-server-end-point. It's not, of course, really channel binding - it's not binding to the channel itself at all - but it does give some of the protection real channel binding would. Dave.
_______________________________________________ Standards mailing list -- standards@xmpp.org To unsubscribe send an email to standards-le...@xmpp.org
