Re: Python standard library defaults to insecure TLS for mail protocols

[Kurt H Maier <khm () sciops net>]

On Thu, Feb 01, 2024 at 10:56:34PM +0100, Steffen Nurpmeso wrote:
> This protocol is much too complicated, and totally
> over-engineered.  How many different approaches to get that job
> actually done do you want?  How much more configuration effort
> burden shall be put onto administrators?  Even more -- how many
> small business administrators there still exist.
>
> Having DNS announce something is good now that there is DNSSEC
> getting widespread use, and over transported channels of all sorts
> (i only like two of those, but i cannot help it anyway).

I raised these objections on some IETF list or another, and was
rebuffed.  According to the MTA-STS project, DNS is too hard or people
are too stupid, so MTA-STS ignores DNSSEC and relies on HTTPS and
well-known urls.  I would like it to be on the record, at least, that
someone tried to talk them out of this.  I did point out that requring
an entire additional stack of protocols just to look up a port number
was not as clever as just specifying the port number, but that idea was
also rejected.

khm