On Thu, Jan 02, 2020 at 12:55:54PM -0500, James B. Byrne wrote:
> > Don't use mail to transport payment data, so PCI is not applicable.
>
> This advice is not helpful. It is not what we are sending but rather
> what we are receiving. We have no control over the information that
> our clients send us. PCI DSS exists to deal with this sort of thing.
When raising the floor on STARTTLS the result can be not greater
security, but otherwise avoidable use of cleartext. See:
https://tools.ietf.org/html/rfc7435#section-1.2
You get more security benefit from raising the ceiling, not the floor,
allowing the peer to negotiate the strongest available parameters.
Raising the floor is sometimes warranted, once *nobody* needs the weaker
options being excluded, but otherwise can be counter-productive.
Your system supports TLS 1.3, with modern ciphers, ... you're in good
shape. Let the default settings work for you.
--
Viktor.
