The goal is to transplant the concepts of HTTP Strict Transport Security (HSTS)1 and Public Key Pinning Extension for HTTP2 to other protocols that support TLS. We aim to do those for popular internet protocols like SMTP, POP, FTP, XMPP and IRC.
- Identify status codes that are currently undefined and can be safely ignored by clients that do not support them
- In this status code, the server SHOULD send a list of tokens to describe it's Enhanced TLS Security settings. 2.1 foo
TODO: The actual grammar of the token is yet to be defined and might be different for the respective protocol, depending on the list of allowed characters.
Example, SMTP:
S: 220 smtp2.example.com ESMTP Postfix
C: EHLO bob.example.org
S: 250-smtp2.example.com Hello bob.example.org [192.0.2.201]
S: 250-SIZE 14680064
S: 250-PIPELINING
S: 250-ENHANCED-TLS STS: max-age=31536000; PKP: pin-sha256=abcd…;
S: 250 HELP
As Daniel Veditz has pointed out, this should live in TLS, not the application layer protocol.
Unfortunately this needs more cooperation and work on the implementation's side (patches for both the TLS stack as well as the application that uses it)