On Fri, Mar 28, 2025 at 06:21:01PM -0700, Rob Sayre wrote: > I propose deleting this section entirely: > > https://datatracker.ietf.org/doc/html/draft-ietf-emailcore-rfc5321bis-42#section-7.1 > > The AS covers it well, and I do understand the desire not to put some > transient specs in this document. > > Look at the first part: "The authenticity of SMTP mail is inherently > insecure". If it is possible to reach consensus on a more modest/concise version of 7.1, I would not be opposed, provided: - The benefit justifies an effort to reach such consensus. - Such a simplification is in scope for the document update. Minimal replacement text to refine could be: Authentication of message origin and content lies outside the scope of the core SMTP protocol specified in this document. In general one cannot assume that the envelope sender address, "From:", "Sender:" or other headers are not forged, that the message is not a replay, or that it has not been materially modified in transit. Various extensions of the SMTP protocol and/or message structure offer partial mitigations of the above risks, but no holistic scalable solution has yet been developed. But it is not clear that expending the effort to reach consensus is in scope or justified. -- Viktor. -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
