> On 10/23/2013 08:09 PM, Jim Fenton wrote:
> > On 10/23/13 11:28 AM, John-Mark Gurney wrote:
> >> Is it just me, or is it funny that we are talking about securing the
> >> inet, yet the ietf apparently doesn't do STARTTLS when sending email?
> >> and hence the perpass email list is sent out unencrypted...
> >>
> >> Guess I'll drop a note to [email protected].
> >>
> > It's not just you. IETF SHOULD be using STARTTLS for email, not
> > particularly for this or other mailing lists (where attackers could just
> > read the archives, anyway) but because it's the Right Thing To Do.
> That was discussed in the DANE meeting in Berlin and
> there's a plan for eating our own dogfood, but I'm
> not sure where its at. Will check.
If by "for email" you mean "for outgoing SMTP relay", this this is *not*
as easy as turning on opportunistic use of STARTTLS in SMTP.
The main problem is dealing with SSL/TLS negotiation failures, either because
you don't share a ciphersuite or because the server says it supports STARTTLS
but doesn't actally have a certificate installed. (The latter is distressingly
common.) When this happens you have to close the connection and try again. Some
SMTP clients support this, others do not.
As for DANE or other DNS announcements, it's far too new to be of much use.
Ned
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
