HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Ciao, Michael.
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Yes, I strongly agree with this. I have evidence to this fact and can provide it if required,
Ciao, Michael.
--On Tuesday, February 13, 2018 9:31 AM +1000 William Brown wibrown@redhat.com wrote:
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Yes, I strongly agree with this. I have evidence to this fact and can provide it if required,
Personally, I'm all for it. I'd suggest using the above RFC as a template for one formalizing port 636, so it's finally a documented standard.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am Mon, 12 Feb 2018 18:10:29 -0800 schrieb Quanah Gibson-Mount quanah@symas.com:
--On Tuesday, February 13, 2018 9:31 AM +1000 William Brown wibrown@redhat.com wrote:
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Yes, I strongly agree with this. I have evidence to this fact and can provide it if required,
Personally, I'm all for it. I'd suggest using the above RFC as a template for one formalizing port 636, so it's finally a documented standard.
We have had discussed this topic some 10 years ago, at that time Kurt had some concerns with regard to ldaps and port 636. Unfortunately I can't remember details.
-Dieter
Dieter Klünter wrote:
Am Mon, 12 Feb 2018 18:10:29 -0800 schrieb Quanah Gibson-Mount quanah@symas.com:
--On Tuesday, February 13, 2018 9:31 AM +1000 William Brown wibrown@redhat.com wrote:
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Yes, I strongly agree with this. I have evidence to this fact and can provide it if required,
Personally, I'm all for it. I'd suggest using the above RFC as a template for one formalizing port 636, so it's finally a documented standard.
We have had discussed this topic some 10 years ago, at that time Kurt had some concerns with regard to ldaps and port 636. Unfortunately I can't remember details.
The above mentioned Appendix A references this section which summarizes the concerns:
https://tools.ietf.org/html/rfc2595#section-7
IMO all these "issues" were even debatable at that time.
Ciao, Michael.
On Mon, 2018-02-12 at 18:10 -0800, Quanah Gibson-Mount wrote:
--On Tuesday, February 13, 2018 9:31 AM +1000 William Brown wibrown@redhat.com wrote:
On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:
HI!
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Yes, I strongly agree with this. I have evidence to this fact and can provide it if required,
Personally, I'm all for it. I'd suggest using the above RFC as a template for one formalizing port 636, so it's finally a documented standard.
Great! Where do we go from here to get this formalised properly?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Saturday, February 17, 2018 8:58 AM +1000 William Brown wibrown@redhat.com wrote:
Personally, I'm all for it. I'd suggest using the above RFC as a template for one formalizing port 636, so it's finally a documented standard.
Great! Where do we go from here to get this formalised properly?
IETF ldapext is the starting point, I'd assume? Probably worthwhile to bring it up on that list?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Quanah Gibson-Mount -
William Brown