Hi Martin,
At 14:01 16-08-2011, Martin Rex wrote:
Security-wise, the SRV record suggested by rfc6196 seems to create
additional security problems, so I would also not like to see it being
"adopted" as is. :-/
The YAM working group participants did not point to any security
problem in RFC 6186. A reading of the YAM mailing list archive would
make it clear that nobody disliked RFC 6186. There was a
pre-evaluation of RFC 4409 (see
draft-ietf-yam-4409bis-submit-pre-evaluation-00). As there seem to
be some confusion when the term "downref" is mentioned, I'll put the
question as follows:
Could the reference for RFC 6186 be mentioned in
draft-ietf-yam-4409bis-submit-pre-evaluation-00?
If the above question is too stringent, let's try a simpler one:
Is there any documentation about implementations of RFC 6186?
Given that nobody came forward to point to any documentation, there
wasn't any reason to spend more time on the question.
While I fully agree that it is sensible to relegate (and fix) the
authentication to a different document, I currently see this:
http://tools.ietf.org/html/draft-ietf-yam-rfc4409bis-02#section-7
| AUTH | Authentication | MUST | [SMTP-AUTH] |
And it somehow feels wrong to exhibit an ostrich-like behaviour about
the current mess around SMTP-AUTH in the security considerations section.
RFC 4954 is authoritative for SMTP AUTH. If there is a mess around
SMTP AUTH and it has to be fixed, the best place to do so is in a
revision of RFC 4954. This draft is more about the separation of
submission and relay of messages.
I believe it would be sensible to describe the desired authentication model
for MUA->MTA in more detail, beyond the mere reference of [SMTP-AUTH]
in section 4.3 of the current document:
The intent is to publish the document as a Full Standard. As much as
it may be sensible to describe the desired authentication model, it
had to be shown that changes would
contribute in a substantial and substantive way to the quality and
comprehensibility of the specification as that was the guideline
given to working group participants. If you would like to recommend
additional text, I suggest sending a message to the YAM mailing list.
If there are any questions that have not addressed to your
satisfaction, please let me know so that I can bring it to the
attention of the working group.
Regards,
S. Moonesamy
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf