On Wed, Oct 30, 2024, at 13:54, Viktor Dukhovni wrote: > Bottom line, will SMTP without STARTTLS still be SMTP or will it be > out of spec, with MTA implementations under pressure to drop support for > receiving/sending cleartext SMTP. This thread makes me feel like it's 2013 again. We had these debates about the web and HTTP at around that time. This isn't some complex or nuanced thing. It's about whether the IETF thinks that STARTTLS is necessary to address the threat model. Sure, it isn't sufficient for email, but I don't get why a strong recommendation isn't being made. Clearly, if you use unsecured SMTP to send mail somewhere, there's a good chance that a) it won't get there, and b) that it will get a lot of other places that you didn't intend. Some people think that it is OK to bury a statement like that in an applicability statement. I don't see why there is a whole lot of push back when the request is to have the main document say as much. I don't see any request to mandate the use of STARTTLS, just to document the security considerations in the Security Considerations section. -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
