Ralph, Sorry for the delay in reply. Your comments are very insightful and made me think along the following lines:
First, the topic of “OS for TLS”, is open for discussion in UTA. Interested writer(s) and presenter(s) are welcome to the Dallas meeting. That being said, using TLS with email protocols is in the scope of UTA from the start. (BTW To describe such a document, UTA’s charter uses “bcp” instead of BCP because it’s not about the type of the document, but about its scope and intent.) Right now, DEEP draft is not a bcp document for using TLS with e-mail protocols. As you pointed out, currently email protocols use TLS opportunistically, at best. Perhaps because of that, the authors start the document by introducing a new comprehensive DEEP approach to elevate the current “more or less” opportunistic mode of operation to the “assured” one. To do so, a range of existing current practices is included in the document at different places “as needed” and described with various level of details. Some are included as the building blocks for DEEP (e.g., Implicit TLS), others – to acknowledge other less secure practices (e.g., certificate pinning in 3.2 and the OS-like mode in 3.3). My point is that splitting (or, alternatively, renaming & rearranging) the draft into <Part 1: bcp> and <Part 2: new: DEEP> would be a better fit for UTA and more beneficial to UTA’s audience with little or no overhead. It seems that UTA does need to document best **existing** email practices (built on various OS approaches) with their technical details. That is in order to improve interoperability and coexist with the emerging new solution(s) … until those are universally deployed. Also, as mentioned in the Open Issues in the draft, DEEP represents one possible direction for improving e-mail security; using DANE for MUAs would be an orthogonal approach to include and potentially explore. Hope this makes sense, Orit. From: Ralph Holz [mailto:[email protected]] Sent: Monday, March 02, 2015 4:36 PM To: Orit Levin (LCA) Cc: [email protected] Subject: Re: [Uta] Splitting the draft? [was RE: draft-ietf-uta-email-deep-00 comments] Hi Orin, How does this relate to the new drafts for Opportunistic Security? It seems to me that at least the TLS level should be synchronised. So maybe it makes sense to split this up, go ahead with opportunistic security profiles for certain applications (= OS + DEEP, part 1), enhanced with further privacy measures for email (= DEEP, part 2)? Ralph On 3 March 2015 at 10:45, Orit Levin (LCA) <[email protected]<mailto:[email protected]>> wrote: During the last meeting, I expressed my opinion (as an individual, not as a chair) that it would be reasonable to split the draft into two: 1. A "best current practices for e-mail" document expanding the tls-bcp document and based on existing protocols and mechanisms. 2. A separate "proposed standard" document defining new mechanisms in order to improve email security, etc. These correspond to definitions in sections 5, 6, 7, the related procedures throughout the document, and the IANA Considerations. There was no time for this discussion at the meeting, so we agreed to move it to the list. I would like to know what people think about this direction. Thanks, Orit. _______________________________________________ Uta mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/uta
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
