Hi all,
Something that's been confusing to me is: if and how does the
SMTP-TLSRPT specification depend on the MTA-STS specification?
The "mode" field of the policy controls whether any report should be
generated (if there is a TLSRPT policy too), but the SMTP-TLSRPT
specification itself does not mention this dependency at all.
In fact, I wonder why the MTA-STS policy would affect report sending anyway.
Consider these cases:
1. There is a policy with mode=testing and no TLSRPT policy
- obviously no report is generated, because there is no address to
send it to
2. There is a policy with mode=none and a TLSRPT policy
- according to the MTA-STS spec, no report should be sent, but the
TLSRPT spec is silent on this
3. There is no STS policy at all, but there is a TLSRPT policy
- I'm guessing reports have to be sent, even though there is no
STS policy that says so, in case DANE is used
It would make most sense to me if report sending only depends on the
presence of the TLSRPT policy (the TXT record) and not at all on the
active MTA-STS policy mode.
There may be a special case to not send reports if there is a MTA-STS
policy mode=none *and* DANE is not in use (how do you determine
exactly DANE is not in use?), but IMHO this should be documented in
the TLSRPT spec.
Also:
> 4.4
>
> o "policy-string": A string representation of the policy,
>
> Since it is no longer a "string representation" of the policy, but rather an
> array of strings, at least the description should probably change to:
> "An encoding of the policy as a JSON array of strings" or some such. You
> could also rename the element to "policy-array", but I don't feel strongly
> about that.
+1
Ayke
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
