German infosec bureaucrats want mail providers to encrypt

Spook-busting IETF work gets nod from Federal Office of Information Security


It's not so often that the dense and often dull documents that are our Internet standards attract the endorsement of governments, but that's what has happened with RFC 7672.

Part of 'net boffins' ongoing effort to rewrite standards for better privacy, the standards-track RFC (SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)) is designed to improve email security, by letting SMTP message transfer agents authenticate each other and apply TLS to connections.

Endorsement of the idea comes from no lesser an agency than Germany's Federal Office for Information Security, according to local site Heise.

Heise reports that the office has released a technical directive, BSI TR-03108, urging German email providers to implement the RFC. The directive, in German, is here.

Putting away the forklift

The problem with SMTP, as the RFC states, is that right now there's no requirement that traffic between message transfer agents be encrypted: "neither e-mail addresses nor MX hostnames signal a requirement for either secure or cleartext transport".

DANE TLSA records, the RFC states, give (for example) a mail server a way to say "I support TLS", and publish how SMTP clients can authenticate servers.

While the world will still have both clients and servers that don't encrypt – these can still communicate in clear-text or using manually-configured security – the RFC means encryption can be implemented incrementally, rather than trying to get a billion forklifts upgrading a billion mail servers and clients at once. ®


Biting the hand that feeds IT © 1998–2020