> I fully agree. The state of TLS in the mail world is quite sad and it > would be great if we could all agree on actually keeping our systems up > to date...
TLS in MUA protocols (IMAP or whatever Microsoft calls MAPI this week) is fine. Not sad. TLS in SMTP mail is also not sad; it's fundamentally broken because of the lack of a well-agreed binding between "who I am talking to" and "what certificate I should expect," with a dip into "and by the way I got all this information out of DNS which is also not very trustable" along the way. Sad would be an upgrade for this stuff. And even if there were some HSTS-like way to bind certificates to destination domain names, the lack of an interactive moment for the user to say "yes" or "no" to a questionable certificate makes it even worse. TLS in SMTP mail is weak opportunistic encryption, which is A Good Thing but the reign of the crypto woke-purists who insist that the TLS must be secure against all known attacks is more than a little annoying when everything surrounding the actual moment of key agreement & algorithm choice is not very secure. Yes, it would be nice if everyone were running newer versions of TLS. And yes, I understand it's hard to have a TLS library that can tell the difference between a user sending mail and a user going to a web site, yes, I get it. But large production email systems have a lot of moving parts in addition to the actual hard work of keeping the mail stored and accessible: SMTP gateways, TLS off-loaders, load balancers, and of course everything has to work with everything else (and every domain name and TCP port number that was ever handed out by customer service since 1994) and every client except for Eudora because we've given up on Eudora finally but G-d WILL strike you down if Pine stops working so don't forget to test that. Yes, we'll get all those systems upgraded. But I'm tired of having folks who should have gotten their frickin' stuff right the first time creating crisis after crisis in software updates and patching every time someone with facial dermatitis steps up to the podium at Black Hat. There's a whole lot of tail-wagging-the-dog here from the point of view of the world of email... Rant off. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.com http://www.opus1.com/jms _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
