Re: [yam] draft-daboo-srv-email: POP3S/IMAPS?

Ned Freed <> Mon, 18 January 2010 03:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9B563A6836 for <>; Sun, 17 Jan 2010 19:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.179
X-Spam-Status: No, score=-2.179 tagged_above=-999 required=5 tests=[AWL=0.420, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vb0OC3gRlbBj for <>; Sun, 17 Jan 2010 19:24:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A05BC3A67A5 for <>; Sun, 17 Jan 2010 19:24:30 -0800 (PST)
Received: from by (PMDF V6.1-1 #35243) id <> for; Sun, 17 Jan 2010 19:24:21 -0800 (PST)
Received: from by (PMDF V6.1-1 #35243) id <>; Sun, 17 Jan 2010 19:24:18 -0800 (PST)
Message-id: <>
Date: Sun, 17 Jan 2010 18:55:16 -0800
From: Ned Freed <>
In-reply-to: "Your message dated Mon, 18 Jan 2010 02:42:09 +0000" <>
MIME-version: 1.0
Content-type: TEXT/PLAIN
References: <> <> <>
To: Sabahattin Gucukoglu <>
Subject: Re: [yam] draft-daboo-srv-email: POP3S/IMAPS?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jan 2010 03:24:31 -0000

> On 17 Jan 2010, at 17:35, Ned Freed wrote:
> >> Shouldn't we be seriously discouraging that usage?
> >
> > Perhaps. But a provisioning mechanism specification isn't the place to do it.
> >
> The specification, if it describes the method of "Wrapped SSL",

If by "description" you mean a single sentence, I guess this specification
qualifies. But by that measure, RFC 2595 would probably qualify as well.

> must explain what's wrong with it, and we know too well what's wrong with it
> (implementation specific behaviours, IANA problems, negotiation problems,
> although the latter is addressed in part by this very specification).  If it
> doesn't describe a specification that the IETF wrote or vouches for, then that
> specification needs to be written.  Otherwise, it shouldn't specify its usage
> at all.

The consequences of that will be to make the mechanism unusable for a
nonnegligable number of deployments. Deployment of this is going to be
difficult enough without such well-meaning but strategically foolish

> Happily, this specification *does* explain the procedure for wrapping
> POP/IMAP/SMTP inside a directly-negotiated SSL stream, so all that's required
> now is to explain why, in all this time, we haven't documented it before now. 
> Perhaps we can even kill two birds with one stone. :-)

But we have documented this at this level of detail before now - in RFC 2595
section 7.

Now, I have no objection to adding a sentence to the security considerations
section saying that use of imaps/pops are discouraged and pointing to the
previous text on this issue. But I see little if any value in repeating the
explanation here. And I'll again repeat that if your goal really is to change
existing deployment practices, the only chance you have of doing that is with a
separate document specifically on this point and this point alone.

> > If you want to promote or discourage a particular approach to deploying network
> > services, you need to do it directly. Write a "IMAPS/POPS considered harmful"
> > draft and get it published.

> See above; I have no problem with propitiating those who choose to do it
> wrong, but only so long as they don't do it very wrong, and hurt lots of
> innocent bystanders who obey well-written rules as a consequence of their own
> desires.  The deployment or not of broken vs correct behaviour will speak for
> itself, and I have no problem with that.  But neither should we simply allow
> for the specification of broken behaviour without a cautionary note.

The relevant cautionary note has been part of our specifications for other 10
years now.