Hacker News new | past | comments | ask | show | jobs | submit login

The proposal for encryption extension to JMAP is already on it's 3rd draft for review.

https://www.ietf.org/id/draft-ietf-jmap-smime-sender-extensi...




Eugh, that might fly in some enterprise contexts but it violates a lot of principles what S/MIME is meant to be used for.

Is there a draft for strict JMAP transport security?


JMAP is already TLS-only <https://datatracker.ietf.org/doc/html/rfc8620#section-8.1>:

> To ensure the confidentiality and integrity of data sent and received via JMAP, all requests MUST use TLS 1.2 or later, following the recommendations in RFC 7525. Servers SHOULD support TLS 1.3 or later.

> Clients MUST validate TLS certificate chains to protect against man-in-the-middle attacks.


That's not "MUST prevent the end-user from trivially accepting the invalid chain" though, which is also an issue with current MUAs and IMAP/SMTP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: