John R. Levine wrote in <7656d421-28a0-efbd-0f5a-8c4ac19a4cde@xxxxxxxx>: |On Tue, 29 Oct 2024, Brian E Carpenter wrote: |> The Security Considerations start by saying "SMTP mail is inherently |> insecure" which is undoubtedly true, although "Transmission of mail \ |> via SMTP |> is inherently insecure" might be more precise. So I am a bit surprised \ |> that |> the next sentence doesn't require STARTTLS and cite RFC 3207 and \ |> RFC 7817. | |I would have hoped we would agree that we do not want to make breaking |changes to a widely deployed 40 year old protocol. While it is true that |most mail over the public Internet uses STARTTLS, you and I do not know |all of the places SMTP is used, it's always been an optional feature, and |we at least used to give lip service to maintaining interoperability. | |As I said before I personally would not be opposed to mentioning somewhere |that SMTP, like most of our other application protocols, is subject to |observation for which STARTTLS can help (although as Dave noted, PGP and |S/MIME address the issue at a different level), and it is subject to MITM |attacks, also like most of our other application protocols, for which |MTA-STS and TLSA can help. But they are all optional extensions, not part This is "not for everybody" in multiple ways; capability to place an according DNS entry for one, and knowledge hurdles to create it at first. But in general these are overly complicated, and intermingle the simple client question "does the server support TLS?" with actual TLS specifics, and that in turn is completely different to what is done for all other email protocols. (Unless i am mistaken.) |of SMTP, which is why I don't want them cluttering up the SMTP spec. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |And in Fall, feel "The Dropbear Bard"s ball(s). | |The banded bear |without a care, |Banged on himself fore'er and e'er | |Farewell, dear collar bear -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
