IETF Logo Mail Archive

Re: STARTTLS & EHLO: Errata text?

Hector Santos <hsantos@santronics.com> Fri, 30 January 2009 01:57 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0U1vOKA051241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 29 Jan 2009 18:57:25 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0U1vO1s051240; Thu, 29 Jan 2009 18:57:24 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from winserver.com (news.winserver.com [208.247.131.9]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0U1vNJ5051234 for <ietf-smtp@imc.org>; Thu, 29 Jan 2009 18:57:23 -0700 (MST) (envelope-from hsantos@santronics.com)
Received: by winserver.com (Wildcat! SMTP Router v6.3.452.5) for ietf-smtp@imc.org; Thu, 29 Jan 2009 20:58:01 -0500
Received: from hdev1 ([65.10.45.22]) by winserver.com (Wildcat! SMTP v6.3.452.5) with ESMTP id 2766502453; Thu, 29 Jan 2009 20:57:59 -0500
Message-ID: <49825E78.7080303@santronics.com>
Date: Thu, 29 Jan 2009 20:57:12 -0500
From: Hector Santos <hsantos@santronics.com>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
CC: ned+ietf-smtp@mrochek.com, SM <sm@resistor.net>, Tony Hansen <tony@att.com>, ietf-smtp@imc.org
Subject: Re: STARTTLS & EHLO: Errata text?
References: <497DE492.4080506@pscs.co.uk> <497DED29.70402@att.com> <497ED420.30708@pscs.co.uk> <alpine.LSU.2.00.0901271403220.4546@hermes-2.csi.cam.ac.uk> <497F86CB.60904@att.com> <alpine.LSU.2.00.0901281434440.4546@hermes-2.csi.cam.ac.uk> <498088B8.9040404@pscs.co.uk> <alpine.LSU.2.00.0901291310080.4546@hermes-2.csi.cam.ac.uk> <4981C0D5.1010401@pscs.co.uk> <4981C6BD.2040900@att.com> <37F39FF37390694B69567838@PST.JCK.COM> <4981E1AB.9000002@att.com> <6.2.5.6.2.20090129094120.02f234a0@resistor.net> <01N4VB00O5UQ00007A@mauve.mrochek.com> <49823FDC.4000006@isode.com>
In-Reply-To: <49823FDC.4000006@isode.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

Alexey Melnikov wrote:

> I would like suggest an alternative: how about saying
> 
>  The server MUST NOT trust any information obtained
>  from the client, such as command verbs and their arguments, prior 
 >  to the TLS negotiation.
>  The client MUST NOT trust any information obtained from the server,
>  such as the list of SMTP service extensions,
>  prior to the TLS negotiation.
> 
> This avoid the whole issue of what the client/server must and must not 
> remember.

I don't follow the client MUST NOT trust statement.  Is it not suppose 
to believe what the server presents for extensions?

    S:  We supports STARTTLS, AUTH CRAM-MD5
    C:  Liar!! No you don't, I don't believe you.

??

I think what you implying is:

    The client MUST NOT presume the same server extensions apply
    after secured SMTP is established.

This is already discussed (implied) in 3207.

-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email