[Emailcore] Re: [secdir] possible solve for the emailcore AS
Nico Williams <nico@cryptonector.com> Tue, 05 May 2026 03:42 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: emailcore@mail2.ietf.org
Delivered-To: emailcore@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4C63DE918EA5; Mon, 4 May 2026 20:42:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777952544; bh=ow9CsJqRlgw0+XMjFSGC0L9saXRI8MPNuwOn12po0Cw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=XBwcQ3ieB8+an695zuwtymMeV7qIka3KqajyIHYT355rgQOOVZuBaCejooCT/Ac7p NjpIwN39uqcDQreXk/Z2XCRtRv/wTAQBVqE4bo38Mb4x7bYayrDJt99d2CFYh+cJQD EC5HDZ24UTnDC3ew0/pb5qdcT6vvSzRXz0s0G6Kc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: 1.238
X-Spam-Level: *
X-Spam-Status: No, score=1.238 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_SBL_CSS=3.335, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vj5wgpdFWFG9; Mon, 4 May 2026 20:42:20 -0700 (PDT)
Received: from cornsilk.ash.relay.mailchannels.net (cornsilk.ash.relay.mailchannels.net [23.83.222.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D1097E918E9E; Mon, 4 May 2026 20:42:19 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id CEC2A401DFD; Tue, 05 May 2026 03:42:11 +0000 (UTC)
Received: from pdx1-sub0-mail-a227.dreamhost.com (100-96-8-23.trex-nlb.outbound.svc.cluster.local [100.96.8.23]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id CA2F44010B7; Tue, 05 May 2026 03:42:10 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1777952531; b=4oYdLI8twFRPxBqZp72S3yScsnFWMm6g+lZR9feJcX73BzEKLX/xqSlDiBtNIZg3Di/OJj fjs1nWJ4fRJNJam2ybXBY4a1rPFoT8Q7hexfkSEYA0eGSdJYndahpGTUtWl1BIR5P+cjPy dI2J1ohX9BzysS4Tx53quChQtEFCA6rKqXnbr3VepqzKzX2mBDKThm9HBUZd5AppCctxHl xRpiD9hQP/rTQo0yY4dao+A1rKB8bkEWa0xJG2PPYZRTfExh3B8j1HyzF5i+Qb2ncNDehl pIQCps8ZIPzmzJpUjulgr50ozas5fmtMwBU/yHdfCceRqpXNaXQxCzjGh0tX5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1777952531; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=BCaYu4ZZLwxaH8n00wpgIThE/mI4x12BVa/JkOQYers=; b=Q0jFAQkeGl6hWPihQ6w5v2quVZuGDMHTIZzTdAqbS5SEKCjGeK24Zs1mYeExZdOBLWvop3 YrhHTBVmX8d6du4nyn1R6W18eXZ1J1TVvYUZC23NrMwofJufDNgoyp/Ig3Cp3NJrn67X7D ugri0ULLpMK57LSlhxYxsjJngsv+jLL9O6kZD7mwo8JU/0/PC3blk0dnA+u1tJk4EK6WiD xJTbwhjERxywKSw2sNL2BNtXF4oK19+GFBV281k2VgHZzy25Og5FDpJAFPXivX9MPoWPB4 1KLRHAE9t/68kl3fonwaVAaBa+wCW8JNVp4/2cRuHr/pxlbCD4v3EUtfKzBSkg==
ARC-Authentication-Results: i=1; rspamd-7766795c76-hrsnt; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Bitter-Little: 2b5faee41bb38cd0_1777952531572_2341705876
X-MC-Loop-Signature: 1777952531572:3051376086
X-MC-Ingress-Time: 1777952531572
Received: from pdx1-sub0-mail-a227.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.96.8.23 (trex/7.1.5); Tue, 05 May 2026 03:42:11 +0000
Received: from ubby (syn-024-039-109-244.biz.spectrum.com [24.39.109.244]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a227.dreamhost.com (Postfix) with ESMTPSA id 4g8kpn1H0YzVC; Mon, 4 May 2026 20:42:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1777952529; bh=BCaYu4ZZLwxaH8n00wpgIThE/mI4x12BVa/JkOQYers=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=MLqRcB7BhHEyXvw55Zfk/cKHsfUEZm1DZRRmLbAygQ7wEjWh6NArprLLl2+QBCWrD Hm0ggOw7ko4QEr2AhQkuVW1BqFIk4okvp6zd7dAsxJGFFsPwZaAWEqjy5wVKjkFu+K AxZ+0rUG/ybdXR1lUVES1LVYgS9chBq4oawQ56iuvYBHlGSnIDp8pMoSoRHbZHG7E9 xPBZMm9YZ9WRY4wKWev1OgU1g0zM9TW6hcb7oDt1ikhuENi/GhcjRjxCbL9oREHz03 8REWb6aJAdGejXU3OtHgSmQEjePDyH3OaeQkb0z7jVupMSh13sfPdZKtXBMK9/X+XY urVtUwQ1bmULQ==
Date: Mon, 04 May 2026 22:42:07 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eliot Lear <lear@lear.ch>
Message-ID: <aflnD8CFSLt7ng56@ubby>
References: <bd9fe670-4a0c-4b87-8dd4-eb5b274a041a@lear.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <bd9fe670-4a0c-4b87-8dd4-eb5b274a041a@lear.ch>
Message-ID-Hash: DT4AIZFQZRZJZNP747MC632NEMYG5S5R
X-Message-ID-Hash: DT4AIZFQZRZJZNP747MC632NEMYG5S5R
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: emailcore@ietf.org, "last-call@ietf.org" <last-call@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Emailcore] Re: [secdir] possible solve for the emailcore AS
List-Id: EMAILCORE proposed working group list <emailcore.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emailcore/VVLdJwjpwg8A2dcKZrG_d-GG-Lg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emailcore>
List-Help: <mailto:emailcore-request@ietf.org?subject=help>
List-Owner: <mailto:emailcore-owner@ietf.org>
List-Post: <mailto:emailcore@ietf.org>
List-Subscribe: <mailto:emailcore-join@ietf.org>
List-Unsubscribe: <mailto:emailcore-leave@ietf.org>
On Sun, May 03, 2026 at 10:13:20PM +0200, Eliot Lear wrote: > I wonder if we could look at all of this through a different lens. The idea > is to consider the dropping of email to be a local policy decision. Viewed > through that lens, perhaps there's some wording that could be agreed. So > take this as a straw man upon which to build: > > What email to drop *MUST* be considered a local policy decision in > accordance with a wide range of administrative needs. Not accepting email > that does not use STARTTLS is no exception to this rule. Local policy > choices [may/*MAY*] be implemented in code, but are often implemented as > configuration for versatility's/generality's sake. At the time of this > writing, a substantial installed base does not use STARTTLS, and therefore > those not permitting email without STARTTLS should expect to drop at least > some mail. > > Or something like that... This is an argument for how the current text does not require accepting cleartext email, which... is something I'm sure everyone here will agree with should the text remain: you can't be made to accept cleartext email. But that's not the issue. The issue is that if an implementation adheres to this AS then it MUST be possible to configure it to accept cleartext email. Still, your point is abundantly clear: the ability to reject cleartext email, and even defaulting to that setting, should be more than enough to allay the concerns here. I.e., you've laid bare that the concerns stated are not particularly severe. Nico --
- [Emailcore] Re: [secdir] possible solve for the e… Nico Williams
- [Emailcore] possible solve for the emailcore AS Eliot Lear