Has the security area produced any published text describing the general
benefits of implicit vs. STARTTLS? I can’t exactly reference a discussion on
IETF/crypto-protocol-security.
There is existing text in the main document (as opposed to the non-normative
appendix) that favors implicit TLS. If that’s not good enough, can you suggest
wording improvements?
Thanks,
- Chris
On March 13, 2016 at 10:32:03 , Aaron Zauner ([email protected]) wrote:
Hi,
Excellent to see that there's renewed progress with this (important) document!
I will be looking over the document again in the next few days a couple of
times, I've just reviewed the diff and this came to mind:
Appendix A documents use of port 465 pretty well. It should be noted that
there's a document that deprecates use of this port, but
IETF/crypto-protocol-security discussion over the last years has showed clearly
that in-band upgrade is not the way to go, hence STARTTLS and ports registered
for it's use should continued to be used, but a paragraph might be added that
use of port 465 (and thus implicit TLS as opposed to STARTTLS) is preferred. We
don't get (stripable) in-band upgrade. It should also be noted that - in the
current state of SMTP deployments at least - this port usually serves
certificates that are not officially signed by certificate authorities, and
are, quite often, broken in some sense: wrong/bad common name, strange
extension fields and sometimes broken character-set induced problems in
certificates.
Thanks for working on this again,
Aaron
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
