Stephen,
I realized that I forgot to reply to your message about MTI vs. MTU for
IMAP.
Even absent Ned's detailed note showing that most major e-mail providers
already
mandate use of TLS for access, I would not see the Washington Post story as
evidence that we need to change IMAP (and POP?) to mandate _use_ of TLS.
One reason
is that these e-mail access protocols are used in enterprise environment
where passive
wiretapping often not considered a viable attack. Internal to the
enterprise net
there is usually a perception of adequate physical security. For
external access,
VPN use is usually mandated. If we mandated use of TLS with these
protocols, and
access was already protected by IPsec, it would seem overkill, and
create possible PMTU
problems.
This is another example of why it's hard to justify MTU for protocols,
independent of
context. Ned's observations, and Joel's, suggest that when a service
providers decide that
security against passive wiretapping is a concern, they make use of it
(eventually),
irrespective of IETF mandates. It's disappointing that, as Ned noted,
the providers
elected to adopt a different port for this protected access, contrary to
IETF specs.
Maybe this shows that we're not always in the best position to decide
the MTI details :-( .
Steve
_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass
