Um, port25 has nice tee shirts but it isn't open source.
I never said it was? I'm aware it's a closed-source product. And it's
quite good - I've been using it extensively in the past. Though their
devs. were very cooperative and reversing *would* have been easy given
we got debug symbols for their binaries,.. :x
There's a bottle of wine in my fridge that the head of development at
port25 gave me. He's very nice, and very competent, but he's also very
busy. The last time I talked to him he was working on EAI, and I gather
there's a long list of other stuff to add and improve. We could probably
get STS reporting on the list, and on the similar lists for MDaemon and
Communigate and Openwave and Momentum, but by the time it's written,
tested, packaged, shipped, and the customers put it into their
installation schedules, it'll be at least a couple of years. That's why
"ask your favorite distro to update" isn't going to work any time soon in
the places that matter.
My original point which I thought, perhaps wrongly, was obvious, is that
all of these MTAs already have TLS support, so if we define a way to
receive failure reports that doesn't need MTA changes, they can start
collecting reports now and fixing their configuration errors. Our
experience with DMARC is that at for the first year, hardly anyone but
Google and Yahoo were sending reports, but since they handle so much mail
to everyone else, if you published a DMARC record and started collecting
reports, you'd find out a lot about your mail configuration, and
invariably learn about configuration mistakes you could just fix.
We really need a threat model beyond "someone might be spying on me."
Sorry, but I completely disagree. Because "someone" *is* spying on all of us!
It's called full-take and they do it in real-time. Have you been reading the news since
June 2013?
Of course there's lots of spying, but I hope we all remember the maxim
never to attribute to evil what can be explained by incompetence. For
every TLS session broken by malicious spying, there will be many more
broken by misconfigured TLS in the MTA, or a firewall in the wrong place,
or any of the other reasons we all know. The sooner people can start
collecting info about the failures, the sooner they can start fixing the
screwups that cause them.
I'm not saying we should ignore malicious MITM, but I also think that
anyone smart enough to do MITM is likely to be smart enough to defeat
whatever reporting we invent if they care enough to do so, or in places
like Tunisia where everyone uses one or two state-controlled ISPs,
prevent users from circumventing MITM even when they're aware of it.
So we should try and understand what are the reasons that TLS fails, and
start with approaches that can address the most common ones.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
