> What has changed in the 5 years since we discussed this is a perception of > what that mechanism should be. > > The alternative to forever enshrining 'endpoint' as a MUST would simply be > to discuss - in non normative language - the trade off between supporting > something very widely implementable like endpoint and something like > exporter.
No, that won't work. It *must* be something every client and server implementing channel-binding would be able to implement *and* offer/use. And as of today I don't know of any other channel-binding that can be used everywhere (even when using load-balancers etc). In general, I think we should create security for today, not for a hypothetical future. We can always update/depreciate this MUST via a new XEP if there ever emerges a channel binding type with the same ubiquitous properties. -tmolitor _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
