On Wed, Oct 30, 2024, 12:22 PM Dave Crocker <dhc@xxxxxxxxxxxx> wrote:
On 10/30/2024 10:02 AM, Rob Sayre wrote:
> I think the WG could agree to briefly describe STARTTLS and get on
> with it.
The protocol SMTP provides no facilities for privacy or security. And
the nature of the task it does does not inherently require any. So, it
will function just fine without either.
That is, nothing about privacy or security for SMTP, the protocol,
requires a MUST. Or even a Should.
It does support extensions that can be announced and might provide
privacy or security enhancements. But these are not part of SMTP, per se.
And the document in question, here, is SMTP, not the entire world of
email or even the entire world of email handling.
So the concern, here, is about best practices for using /associated/
privacy/security technologies in many/most environments -- with some
lobbying to claim that it is needed in absolutely, positively, all
environments, no matter the cost or inconvenience, including to the
installed base.
Here, too, a MUST is problematic, because, as has been noted, installed
base.
For SMTP over the open Internet, the fact that usage involves
interactions with other, independent parties justifies being quite
forceful about protection mechanisms, because it is not just the single
operator of SMTP that is affected by problems. But note the context.
Which sounds like the scope of an A/S, not a protocol specification.
A view that something is easy to add to a spec is wonderfully appealing,
especially when accompanied by dismissal of concerns about... installed
base. For matters affecting clear and present dangers, such dismissal
not only make sense; it is required. So, for example, mandating TLS
over the open Internet can make sense. But in the privacy of your own
home (network)? hmmm.
Everything that has been discussed here, for SMTP, makes complete sense
to include in the intended A/S, and none of it pertains to the technical
specification of SMTP's base document.
I'm sorry, this is the same document with a reference to PGP in it? Why is that appropriate given this loudly proclaimed scope and not STARTTLS?
Why are oblique references to DKIM/SPF in this section saying it's bad ok but making them actual references people can follow without esoterica not?
I just have trouble squaring this email with the actual text in question.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
