Hi, I think most of use can agree that TLS1.3 and tls-exporter is where we want to end up at. I will likely modify the 'Require Channel Binding' setting in Conversations to require that specific channel binding instead of just any. However on the path toward that goal and to provide good error messages in case client side requirements with regards to channel binding are not met we need negotiation.
Furthermore I believe that even the weaker channel binding mechanisms are better than not having them. It puts more hurdles into the attackers way. Attackers aren’t always perfect. In the case of jabber.ru it looked a lot like they were throwing vanilla proxy software at the problem and not something specifically tailored to break XMPP. The other 'not really an attack' attack that even weak channel binding can detect is when people for what ever reason install custom CA certificates on the phone. I agree that the current phrasing of the XEP with regards to server-end-point is not the best. cheers Daniel _______________________________________________ Standards mailing list -- standards@xmpp.org To unsubscribe send an email to standards-le...@xmpp.org
