On 10/30/2024 10:02 AM, Rob Sayre wrote:
I think the WG could agree to briefly describe STARTTLS and get on with it.
The protocol SMTP provides no facilities for privacy or security. And the nature of the task it does does not inherently require any. So, it will function just fine without either.
That is, nothing about privacy or security for SMTP, the protocol, requires a MUST. Or even a Should.
It does support extensions that can be announced and might provide privacy or security enhancements. But these are not part of SMTP, per se.
And the document in question, here, is SMTP, not the entire world of email or even the entire world of email handling.
So the concern, here, is about best practices for using /associated/ privacy/security technologies in many/most environments -- with some lobbying to claim that it is needed in absolutely, positively, all environments, no matter the cost or inconvenience, including to the installed base.
Here, too, a MUST is problematic, because, as has been noted, installed base.
For SMTP over the open Internet, the fact that usage involves interactions with other, independent parties justifies being quite forceful about protection mechanisms, because it is not just the single operator of SMTP that is affected by problems. But note the context. Which sounds like the scope of an A/S, not a protocol specification.
A view that something is easy to add to a spec is wonderfully appealing, especially when accompanied by dismissal of concerns about... installed base. For matters affecting clear and present dangers, such dismissal not only make sense; it is required. So, for example, mandating TLS over the open Internet can make sense. But in the privacy of your own home (network)? hmmm.
Everything that has been discussed here, for SMTP, makes complete sense to include in the intended A/S, and none of it pertains to the technical specification of SMTP's base document.
d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
