[sorry about the broekn threading; I get uta@ in digest form and can't dig out a proper message-id ATM from the archives]
On Wed, Mar 27, 2019 at 12:00:16PM -0700, uta-requ...@ietf.org wrote: > Date: Wed, 27 Mar 2019 09:34:14 +0100 > From: Jim Fenton <fen...@bluepopcorn.net> > To: "uta@ietf.org" <uta@ietf.org> > Subject: [Uta] Revised wording on security consideration re TLS-Required > > Thanks for the feedback on my proposed language for a new security > consideration regarding conflicts between the TLS-Required header field > and DANE and MTA-STS recipient policies. Here's another stab at it: > > ===== > > 8.4. Policy Conflicts > > > In some cases, the use of the TLS-Required header field may conflict > with a recipient domain policy expressed through the DANE [RFC7672] or > MTA-STS [RFC8461] protocols. Although these protocols encourage the use > of TLS transport by advertising availability of TLS, the use of > ”TLS-Required: No” header field represents an explicit decision on the > part of the sender not to require the use of TLS, such as to overcome a > configuration error. The recipient domain has the ultimate ability to > require TLS by not accepting messages when STARTTLS has not been > negotiated; otherwise, "TLS-Required: No" is effectively directing the > client MTA to behave as if it does not support DANE nor MTA-STS. > > > ===== > > > Comments welcome. This doesn't really say anything about or give guidance to intermediate MTAs. (Do we want to differentiate between initial and intermediate MTAs, too?) -Ben _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
