I've read this draft and I support its publication as a BCP.
I have one minor issue:
In 3.3, first paragraph:
Combining unprotected and TLS-protected communication opens the way
to SSL Stripping and similar attacks. In cases where an application
protocol allows implementations or deployments a choice between
strict TLS configuration and dynamic upgrade from unencrypted to TLS-
protected traffic (such as STARTTLS), clients and servers SHOULD
prefer strict TLS configuration.
Is this text recommending use of TLS on a separate port (e.g. IMAPS),
that STARTTLS should always be used (and remembered, in order to prevent
downgrade attacks) or both? I would like this text to be clarified to be
unambiguous.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
