On Tue, Oct 29, 2024 at 7:25 PM John R Levine <johnl@xxxxxxxxx> wrote: > > On Tue, 29 Oct 2024, Paul Wouters wrote: > >> > >> I can easily imagine scenarios where STARTTLS makes no sense > > > > No network should run smtp in the clear, whether it is “over the internet” or not. Even if you’d gain nothing because you use macsec, IPsec or another link layer encryption, the cost of double encryption on email is so low that you might as well still run (opportunistic) TLS instead of unencrypted smtp. > > I have an old printer that e-mails "I'm jammed" or "I'm empty" notices in > the clear to a local mail server. It's not going to change, and if we > somehow imagine we're going to force people to reject its out of paper > messages, we're just making ourselves look silly. New printers should > certainly do STARTTLS, but we at least used to give lip service to > backward compatability and existing practice. The Protocol Police are not going to raid your home, storm into your back closet, and haul out the printer to summarily send it to a landfill while giving you a fine if we say "thout shalt not consume SMTP sans STARTLS". > > As I may have said once or twice, the STARTTLS stuff belongs in the A/S. And I don't really get why: there's already references to PGP in the security considerations we are discussing, as well as oblique references to DKIM/DMARC/SPF that could be tightened up and made more useful by making them explicit. It just doesn't seem that hard to add a few sentences and references. > > R's, > John > > PS: > > -- > last-call mailing list -- last-call@xxxxxxxx > To unsubscribe send an email to last-call-leave@xxxxxxxx -- Astra mortemque praestare gradatim -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
