On 3/22/18 12:59 PM, Daniel Kahn Gillmor wrote:
> On Thu 2018-03-22 15:17:18 -0400, Viktor Dukhovni wrote:
>>> On Mar 22, 2018, at 2:59 PM, Martin Thomson <[email protected]>
>>> wrote:
>>>
>>> https://tools.ietf.org/html/draft-trammell-optional-security-not-00 is
>>> relevant.
>> A reasonable guiding principle, but sometimes *availability* trumps security.
>> This is sufficiently often the case with email to make explicit preference
>> for
>> delivery above all other concerns a necessary feature.
>>
>> When a user gets a delay warning for their initial attempt to send a
>> time-sensitive
>> message, it should be possible to resend the message with an explicit
>> opt-out of
>> enhanced security protections (beyond unauthenticated opportunistic
>> STARTTLS).
> can't they opt-out by re-sending to their submission agent without the
> REQUIRETLS SMTP command? or is the fear that their submission agent
> will invoke REQUIRETLS on the next hop without the user's permission?
REQUIRETLS is intended only to be asserted by the originator of the
message. I don't expect a subsequent hop to be asserting either the SMTP
option or the header field (although maybe I should make that
expectation explicit in the spec). Also note that the header field
("no") and the SMTP option ("yes") are mutually exclusive, because they
give conflicting instructions to the mail system.
-Jim
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
