Hacker News new | past | comments | ask | show | jobs | submit login

Eugh, that might fly in some enterprise contexts but it violates a lot of principles what S/MIME is meant to be used for.

Is there a draft for strict JMAP transport security?




JMAP is already TLS-only <https://datatracker.ietf.org/doc/html/rfc8620#section-8.1>:

> To ensure the confidentiality and integrity of data sent and received via JMAP, all requests MUST use TLS 1.2 or later, following the recommendations in RFC 7525. Servers SHOULD support TLS 1.3 or later.

> Clients MUST validate TLS certificate chains to protect against man-in-the-middle attacks.


That's not "MUST prevent the end-user from trivially accepting the invalid chain" though, which is also an issue with current MUAs and IMAP/SMTP.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: