--On Tuesday, October 29, 2024 22:24 -0400 John R Levine <johnl@xxxxxxxxx> wrote: > On Tue, 29 Oct 2024, Paul Wouters wrote: >>> >>> I can easily imagine scenarios where STARTTLS makes no sense >> >> No network should run smtp in the clear, whether it is "over the >> internet" or not. Even if you'd gain nothing because you use >> macsec, IPsec or another link layer encryption, the cost of double >> encryption on email is so low that you might as well still run >> (opportunistic) TLS instead of unencrypted smtp. > > I have an old printer that e-mails "I'm jammed" or "I'm empty" > notices in the clear to a local mail server. It's not going to > change, and if we somehow imagine we're going to force people to > reject its out of paper messages, we're just making ourselves look > silly. New printers should certainly do STARTTLS, but we at least > used to give lip service to backward compatability and existing > practice. Let me take this a step or two further. First, as I think someone else pointed out, if the IETF mandated STARTTLS and were wildly successful, John's receiving MTA (and, btw, mine with some similar problems) might decline to accept email unless it came over an encrypted connection. At that point, the IETF would have mandated significantly reduced functionality for the purpose of "protecting" the equivalent of an "I'm jammed" message over a LAN. Bad for the user and, as John has suggested, makes us look silly and maybe damages our credibility. More important, while one view (see Paul's message) is that being "out of touch of the NSA et all is the minimum viable product", that view hides a few interesting assumptions. First, there is the issue of selective, rather than pervasive, surveillance. I think I've written elsewhere about the GorillaMail <-> OtherGorilla case. From the standpoint of encryption on the wire, that may be the case supporting the largest number of messages, at least in the US, Western Europe, and countries with similar usage patterns. Anyone here believe that their hiring practices are sufficiently selective, perhaps to the point of omniscience, that the NSA (since the comment above focused on them) could not succeed in getting an appropriately trained agent embedded within the relevant part of the Gorilla organization and/or compromising an existing employee? Against that sort of attack, TLS and friends are perhaps only a notch above security theater and the only realistic option someone trying to protect the content of their messages has is something like S/MIME or PGP, desktop to desktop. Second and perhaps more important globally (and the NSA aside), suppose some collection of Internet users live in, say, Lower Slobbovia. Then suppose that the government of Lower Slobbovia has concluded that spying on in-transit traffic is necessary to protect its citizens from various real or imaginary attacks and prohibits the use of TLS or equivalent within the country. For users in that country, there is then a choice between receiving mail in cleartext (at least as far as the transport system is concerned) and being cut off completely from the global Internet's email structure. If all they are passing in and out of the country are favorite recipes or the next move in a chess game, they may not care whether the government intercepts those or not. They might even like the idea of the government having to invest resources in surveilling and evaluating such traffic. If they have communications interests that the government would consider inappropriate, they might have knowledge of centuries-old traditions of using codes (not ciphers or other forms of encryption) that can slip information past hostile spectators disguised as something else. The two cases come together a bit if the Lower Slobbovian government makes the use of private email systems illegal and requires that all mail go through government-provided servers. Then there would be no need to even bother with monitoring traffic on the wire where capturing the traffic on those servers is far easier. Do we really want to be in the position of having the IETF make the decision to cut residents of that country off from the Internet, preventing both casual conversations that don't need workarounds and whatever other mechanisms they might adopt to carry out conversations, perhaps even plot revolution, without the government noticing? Only if the answer is "yes" is trying to fix email so that sending unencrypted traffic between hosts is impossible a good answer. > As I may have said once or twice, the STARTTLS stuff belongs in the > A/S. And, for the reasons above, probably as strong advice, not an "implementation that allows cleartext is non-conforming" requirement or a suggestion that amessage that arrives without transport encryption should be bounced or just silently dropped. john > > R's, > John > > PS: -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
