klensin
commented
6 days ago 20241107: Working draft text changed to reflect suggestion above.
However, if we are going down this path, should we explain that this is in reference to both the authentication of the sender and the integrity of the message as sent?
Also, do we need another subsection to say something about content protection/ encryption?
The inclusion of PGP and S/MIME were, I believe, intended to point to all three (with some deliberate vagueness).
Donald Eastlake pointed out, and others noticed and pointed out during the Last Call discussion, that this section is really entirely about authentication and not other security issues. His suggestion is to change the first sentence to "The authenticity of SMTP mail is not secure...". A more drastic fix would be to make the authenticity focus more explicit and/or to add a separate subsection discussing encryption issues.
Up to the WG.
Because of the hop by hop problem, if we adopt his text, we may want to retain (and explain further if necessary), "inherently".