[Top] [All Lists]


2008-10-27 23:03:13

Putting on my area director hat:

An RFC 3207 STARTTLS revision needs text related to server identity check. I would prefer this text be as similar as possible to server identity check text in other IETF application protocols.

For Submit, I'd expect the TLS server identity check to be mandatory-to-implement and very close to that of IMAP and POP (or to have a justification why it shouldn't follow IETF practices for this).

I've attempted to get volunteers to write a generalized TLS server identity check for use by applications so it can be included by reference. The initial draft has unfortunately expired: <>
and needs work.  This issue has come up in _many_ WGs and protocols.

For SMTP transfer, the situation is different and probably needs technical discussion to reach consensus on the path forward. It would not surprise me if we needed one or more additional EHLO keywords/arguments to resolve legitimate concerns. I will observe that for SMTP without SMTP AUTH, there is value in opportunistic STARTTLS encryption without authentication as long as the risks are understood.

                - Chris

<Prev in Thread] Current Thread [Next in Thread>