[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard

To: ietf-apps-tls@xxxxxxx
Subject: Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
From: Lutz Jaenicke <Lutz.Jaenicke@xxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jul 2001 22:03:37 +0200
In-reply-to: <>; from moore@cs.utk.edu on Fri, Jul 27, 2001 at 03:33:52PM -0400
List-archive: <http://www.imc.org/ietf-apps-tls/mail-archive/>
List-id: <ietf-apps-tls.imc.org>
List-unsubscribe: <mailto:ietf-apps-tls-request@imc.org?body=unsubscribe>
Mail-followup-to: ietf-apps-tls@imc.org
Organization: BTU Cottbus, Allgemeine Elektrotechnik
References: <> <>
Sender: owner-ietf-apps-tls@xxxxxxxxxxxx
User-agent: Mutt/1.2.5i

On Fri, Jul 27, 2001 at 03:33:52PM -0400, Keith Moore wrote:
> > >         I have a difficult time understanding why SMTP client authors
> > > thought it was acceptable to send SSL 2.0 Hello messages.  Maybe they just
> > > blindly linked in SSL libraries without telling them what protocol
> > > version to use?
> > 
> > Or they chose a pragmatic approach.  Some alleged 'STARTTLS' servers
> > only support SSL 3.0.  These are clearly broken, but making clients
> > backwards compatible with them still looks like a good idea.
> 
> it looks like a good idea IF it doesn't keep them from being
> compatible with servers that conform to the standard.

The question is not what we would expect in an ideal world but how we
can achieve the best interoperation. As is, clients like e.g. Netscape 4.x
only support the SSLv2 and SSLv3 protocol. Even if it would support TLSv1,
it would probably send out a SSLv2 compatible client hello. As is, Netscape
only supports global SSL settings, so that by disabling SSLv2 for the
Mail interface you effectively have to disable it for all services, because
the configuration interface does not allow a fine grained adjustment.
So, even if it would support TLSv1, we would ruin Netscape's abilities
to access web sites or force the user to switch options on and off.
[There are still SMTP servers outside not supporting TLSv1, so a client
cannot both connect to these sites _and_ be standard conformant in the
sense that TLSv1 is the only choise.]

I therefore think that backward compatibility to old protocols (and that
does include SSLv2 which does not have the level of an "official"
standard) at least a the client hello level should be a SHOULD option
for servers.
(Following the old Internet policy of being generous in what is accepted.)

Best regards,
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke@xxxxxxxxxxxxxxxxx
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

References:
- Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
  - From: Bodo Moeller
- Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
  - From: Keith Moore

Prev by Date: Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
Next by Date: Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
Previous by thread: Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
Next by thread: Re: Last Call: SMTP Service Extension for Secure SMTP over TLS to Proposed Standard
Index(es):
- Date
- Thread