Mirja Kühlewind has entered the following ballot position for draft-ietf-uta-email-deep-09: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-uta-email-deep/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The document reads like a BCP to me. Was it discussed in the group to go for BCP? If yes, why was it decided to go not for BCP? If no, I would strong recommend for BCP. Nits: 1) sec 4.1: "The specific means employed for deprecation of cleartext Mail Access Services and Mail Submission Services MAY vary from one MSP to the next..." I guess this should rather be lower case "may" but the RFC editor might have caught that as well. 2) Also sec 4.1: "It is RECOMMENDED that new users be required to use TLS version 1.1 or greater from the start. " Should this be TLS1.2 or maybe a MUST? Just double-checking. 3) This document should probably have a reference to DNSSEC, I guess that's rfc4033... 4) sec 5.2: "The default minimum expected level of confidentiality for all new accounts SHOULD be at least use of TLS version 1.1 or greater, and successful validation of the server's certificate." Given this sentence defines the default minimum, I would have expected a MUST here? Or should this maybe be "MUST use TLS1.1 or greater" and "SHOULD do certificate validation"? However, what's the case were you wouldn't do it as the default minimum? 5) s/were not met by the connecting/were not met by the connection/ 6) In section 5.4, should there maybe be a recommendation that a MUA should also offer a way for a user to remove the pinning, e.g. if it was detected later on that a wrong cert had been pinned? 7) sec 6: is there a useful reference to the milter protocol that can be provided? _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
