ietf-smtp
[Top] [All Lists]

Re: STARTTLS & EHLO: Errata text?

2009-01-29 21:15:54

Alexey Melnikov wrote:

I would like suggest an alternative: how about saying

 The server MUST NOT trust any information obtained
from the client, such as command verbs and their arguments, prior
>  to the TLS negotiation.
 The client MUST NOT trust any information obtained from the server,
 such as the list of SMTP service extensions,
 prior to the TLS negotiation.

This avoid the whole issue of what the client/server must and must not remember.

I don't follow the client MUST NOT trust statement. Is it not suppose to believe what the server presents for extensions?

   S:  We supports STARTTLS, AUTH CRAM-MD5
   C:  Liar!! No you don't, I don't believe you.

??

I think what you implying is:

   The client MUST NOT presume the same server extensions apply
   after secured SMTP is established.

This is already discussed (implied) in 3207.

--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com