On 4/25/16 6:49 AM, Leif Johansson wrote: > On 2016-04-25 15:37, Leif Johansson wrote: >> >> Thanks, >> >> In BA there was consensus (pretty strong at that) to adopt this draft as >> a WG document. >> > s/this draft/these drafts/ > > This is 2 (two) separate consensus calls. Please express your support > or objection for either/both documents going forward as WG documents. > >> This starts an adoption call for adoption as a WG document. Please >> indicate your support or objection (with motivation) for WG adoption >> no later than EOB (any TZ) May 1st >> >> Cheers Leif
1. TLSRPT This looks like a useful extension, analogous in some ways to the reporting aspects of DMARC which I understand have been beneficial. I'm not sure how reporting fits with the UTA WG's charter though: perhaps as one of the 'best practices' that it alludes to? With that caveat, I support adoption of TLSRPT as a WG document. 2. STS I'm a bit more concerned about STS. We effectively already have a policy mechanism for SMTP servers to advertise their use of STARTTLS, but an insecure one: the EHLO response. Other than requiring the use of DNSSEC (which I think everyone agrees is a non-starter), other options for domains to publish STARTTLS policy all have some security problems that we are trying to work around by "webby" mechanisms. STS was supposed to be easier to deploy than alternatives that required new MTA software, but with the requirements to deploy web servers, and possibly a new discovery mechanism to figure out where to look for them, I'm not sure it is as easy to deploy as it once looked. In the IRTF Open Session at IETF 95, one of the papers said that STARTTLS is stripped on 96.1% of email coming from Tunisia (and significant fractions from other countries as well). We should be asking whether STS would improve that situation, or simply whether whoever is doing the blocking could deploy mechanisms to defeat STS as well. If it wouldn't, long term, improve that number, we shouldn't be adding complexity. If there are other classes of attack that would be defeated by STS, I'd like to understand them. For those reasons, I do not support adoption of STS as a WG document. -Jim _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
