ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP

2020-01-01 12:40:31
from [Richard Clayton] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message 
<994e7a23-9e80-4751-6067-8863ad0ee72f(_at_)network-heretics(_dot_)com>,
Keith Moore <moore(_at_)network-heretics(_dot_)com> writes


And since this would be entirely new practice, it would at least be 
possible to require Organization Validation or Extended Validation 
certificates as a condition of accepting mail, or more likely, as a 
condition of not pessimizing mail... 


We cannot prescribe whether a receiver is going to accept email, you can
merely state what the correct protocol is for the transfer and for
efficient signalling of accept/reject decisions.


and/or set up email-specific CAs 
for the purpose of authenticating SMTP clients.

I don't claim that it's simple to make this work - the devil is, as 
always, in the details.   I don't think there is a magic bullet.   But I 
do see client cert authentication of SMTP-over-TLS as another potential 
tool in the toolbox.


No-one in the world of large scale transfer thought that server certs
from existing CAs (or DANE and its reliance on DNSSEC) were going to
work reliably at scale ... so the bulk handlers of email went for (and
have deployed) MTA-STS (RFC8461) instead.

I doubt that the views of the practicality of using client certs would
be all that different.

Note that the driver for MTA-STS was nothing to do with preventing abuse
in the sense its used in this thread so far (the bad guys are far better
at adopting new standards, configuring correctly etc than the good guys
are) ... but to address the threat of events such as BGP hijacks causing
mail flows to go to the wrong place... or middleboxes removing
encryption from connections

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBXgznit2nQQHFxEViEQKKlACfTDRUTykzXDHwFltSRXGj+aUxrsYAoKe1
AzRgZqI7ix8VK0ia6OeGu8oQ
=R9/n
-----END PGP SIGNATURE-----

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-smtp] Endless debate on IP literals, John Levine
Next by Date:  Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP, John Levine
Previous by Thread:  Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP, Keith Moore
Next by Thread:  Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]