IETF Logo Mail Archive

[Emailcore] Re: [Last-Call] Re: Re: Re: draft-ietf-emailcore-as-28 ietf last call Secdir review

Eliot Lear <lear@lear.ch> Thu, 30 April 2026 18:17 UTC

Return-Path: <lear@lear.ch>
X-Original-To: emailcore@mail2.ietf.org
Delivered-To: emailcore@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B5A55E6D8DDA; Thu, 30 Apr 2026 11:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777573050; bh=CDIYOpayrV6rZ3WvMDmv7kd9HpMW/51JKoCquKXOfyc=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=yj9x5HJskBDka23tqcQSeNUwIwdCQztPtvQqv/Hz5Vk+UK08Bmvx37QfxEtPbz2P+ ovefFHuYYM47Ga5VMipyr6N4rApksIQvNQiOZ5Rrf8/OVYmKhZIpUJTvbkNahHEw2S WtHVXmo4ickN2rFIkNWOalxIHIo2lvjCoCLLlb/Y=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCFo2iFu46PC; Thu, 30 Apr 2026 11:17:30 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E8B8FE6D8DC8; Thu, 30 Apr 2026 11:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1777573034; bh=CDIYOpayrV6rZ3WvMDmv7kd9HpMW/51JKoCquKXOfyc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=We/qRHA61q/58mRq0OKbrE2LhBZ5l529xJp0XNg+WhbWWaBiauUyDs2q2pK+CXCoe sW6Lp5i9iOL0HfVuwze4P0pdjEyjeFvbgf39+kYC7yofjXFYEtvDnaHqnJxcvYGdFo m7lCA/c0locGP8yx5ZCJiqW+RBT2hnPjVq30AZPs=
Received: from [IPV6:2a02:1210:2c9b:e200:e53f:2b23:e03c:72d8] (0.1.2.1.2.0.a.2.dynamic.cust.swisscom.net [IPv6:2a02:1210:2c9b:e200:e53f:2b23:e03c:72d8] (may be forged)) (authenticated bits=0) by upstairs.ofcourseimright.com (8.18.1/8.18.1/Debian-2) with ESMTPSA id 63UIHDtp2148514 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT); Thu, 30 Apr 2026 20:17:14 +0200
Message-ID: <cdfa3bfc-6fef-48b8-beed-fed36a5574db@lear.ch>
Date: Thu, 30 Apr 2026 20:17:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Christian Huitema <huitema@huitema.net>
References: <16e19e54-7f69-4ecc-a5f0-dcffd7a0d3b2@lear.ch> <CABcZeBP0e0TS4F_aQvvER+pt87rgGiARudKTEKzD0roEyESvZQ@mail.gmail.com> <8DC02587-26C8-428A-9D88-44AEEFDFE1C2@episteme.net> <CABcZeBMRsVsBnvbW_g0aR8M80RcQ0QWHqYxQk5dK_9-Dm1Tccw@mail.gmail.com> <20260430022538.CC3ED106EE3EA@ary.qy> <CABcZeBOOPf-Te7wGZV97sWf=XLW8_mTiZS0x30EfufB0Omr7hw@mail.gmail.com> <20260430030207.545AA106EF6A5@ary.qy> <b35ae5d5-fa7b-4734-8295-7773b9aa8bdc@betaapp.fastmail.com> <2890cc75-cba8-4caa-9692-9bb0ce944d06@lear.ch> <a1659fc4-73e3-43db-bc47-591a01d3fd0f@betaapp.fastmail.com> <afLnhUPxIw7eXe1q@ubby> <8B503162-B89C-4E3C-AF8E-3153970A6145@episteme.net> <253e846e-cc62-6df7-6f55-15adf739253e@ietf.email> <15fcf298-011b-476c-b946-a69176c249f4@huitema.net>
Content-Language: en-US
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <15fcf298-011b-476c-b946-a69176c249f4@huitema.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------nGpaNz51WPAgXcLk7YEjvgSY"
Message-ID-Hash: 737MALOTNME45YP5JYFRE43TQHUGNYCT
X-Message-ID-Hash: 737MALOTNME45YP5JYFRE43TQHUGNYCT
X-MailFrom: lear@lear.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: last-call@ietf.org, emailcore@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Emailcore] Re: [Last-Call] Re: Re: Re: draft-ietf-emailcore-as-28 ietf last call Secdir review
List-Id: EMAILCORE proposed working group list <emailcore.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emailcore/c6BRCxgiVpU79dyHncdZ69Ruj_A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emailcore>
List-Help: <mailto:emailcore-request@ietf.org?subject=help>
List-Owner: <mailto:emailcore-owner@ietf.org>
List-Post: <mailto:emailcore@ietf.org>
List-Subscribe: <mailto:emailcore-join@ietf.org>
List-Unsubscribe: <mailto:emailcore-leave@ietf.org>

Hi Christian

On 30.04.2026 19:52, Christian Huitema wrote:
>
> I think the important point is that administrators make these 
> decisions. All these variations in software architecture and 
> deployment are valid ways through which the administrators can choose 
> to support ClearText, or not. 

But they can't without great difficulty if the distributions compile out 
capabilities that those same administrators need. That is precisely my 
concern here.  It's worse if the software is proprietary, where you 
don't have access to source.  That's far from the worst case.

A worse case is when people have to fall of the distribution support 
system by compiling their own source.  At that point they won't keep up 
with patches.  The worst case would be if the OSS players decided to 
remove support in their code, making patches yet more unlikely.

> I don't think that the IETF should mandate that the software must have 
> a run time configuration knob, rather than for example a compile time 
> or deployment time knob, especially since having run time options tend 
> to make the code larger and less secure. That's why I don't much like 
> drafts that make requirements such as "implementations must have knobs."

I can't stand knobs.  I hate them with a passion.  But this is not a 
simple ecosystem, there is a wildly massive installed base, and our 
protocol police powers are limited[1]. The RFC series has to give 
unambiguous practical advice to both implementors and operators so that 
those administrators of which you speak can make good choices.  That has 
to transcend academic argument, which, forgive me, it feels as though we 
are having.

What's particularly frustrating about this entire debate is that we 
*all* want people to use STARTTLS as early and as often as possible.  
That's the best route forward.  Reality means that administrators have 
to pick their poison.  And that leads me to two final points:

 1. I would like to know how many people here have actually *tried* to
    disable reception of plain text to know what effect it would have on
    themselves.
 2. I looked at this for myself.  About 90-95% of incoming mail that
    doesn't use STARTTLS is spam.  The rest, however, is important
    enough that I'm not willing to disable plaintext.  I am, however,
    willing to up-rate it in my spam engine.

Eliot

[1] https://www.rfc-editor.org/rfc/rfc9948.html

v2.43.4 | Report a Bug | By Email | System Status