[apps-discuss] Fwd: Review of draft-ietf-eai-simpledowngrade-03
Ted Hardie <ted.ietf@gmail.com> Mon, 23 April 2012 16:23 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC8E21F8763 for <apps-discuss@ietfa.amsl.com>; Mon, 23 Apr 2012 09:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.556
X-Spam-Level:
X-Spam-Status: No, score=-3.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxDwUFvkSb0j for <apps-discuss@ietfa.amsl.com>; Mon, 23 Apr 2012 09:23:32 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 042D121F875B for <apps-discuss@ietf.org>; Mon, 23 Apr 2012 09:23:28 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so9635657vbb.31 for <apps-discuss@ietf.org>; Mon, 23 Apr 2012 09:23:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=cSIHFOrpdj5XcMPpqy5IHuU1gL+yRFghl+CvCB1/k6g=; b=pNeVMMgy+uoWFksrdAsscukem3ULnenEr9Fbc88C3KlPveaSVTbfwlyrEbp20xeEyR t6+mGs3W/f4qsxaqmydMcchkJq/EgIhN3YYuGAK2A+IzbfSTT153IuvFQaIo3Uyy7X0f QGRSZaQNXmP2BKevY2DVmrK5erEEQFfNcF4egGunxkJHI/k3GLnEiXEsEIeEtHx6hmTD ROLprV+tOarBMZ6kBDuFrwISed4G7iktAxptlyhLWuMGybi3Zwbv6tDheEA9i2JOdXTT BCczmQdnifze5FRlivJa/xkc1AfAozyK7MF1zcct0O0LpZA6SQxPBB1KeZSuKsE6ySKZ jvrQ==
MIME-Version: 1.0
Received: by 10.220.230.67 with SMTP id jl3mr6274576vcb.50.1335198208431; Mon, 23 Apr 2012 09:23:28 -0700 (PDT)
Received: by 10.52.162.99 with HTTP; Mon, 23 Apr 2012 09:23:28 -0700 (PDT)
In-Reply-To: <CA+9kkMDwOu=T+dwUvNmDdFbtEA6g__2=iB6J_m--9mX-_WNQZQ@mail.gmail.com>
References: <CA+9kkMDwOu=T+dwUvNmDdFbtEA6g__2=iB6J_m--9mX-_WNQZQ@mail.gmail.com>
Date: Mon, 23 Apr 2012 09:23:28 -0700
Message-ID: <CA+9kkMA+gwo9zxUcbb6NK5CFu3T3kUbRHr9-pH5cPtZyodHDrA@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: apps-discuss@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [apps-discuss] Fwd: Review of draft-ietf-eai-simpledowngrade-03
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 16:23:35 -0000
Apologies; I forgot to cc this list on the review. regards, Ted ---------- Forwarded message ---------- From: Ted Hardie <ted.ietf@gmail.com> Date: Mon, Apr 23, 2012 at 8:57 AM Subject: Review of draft-ietf-eai-simpledowngrade-03 To: draft-ietf-eai-simpledowngrade.all@tools.ietf.org Cc: IESG <iesg@ietf.org> I have been selected as the Applications Area Directorate reviewer for this draft (for background on appsdir, please see http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ). Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: Title: EAI: Simplified POP/IMAP downgrading Reviewer: Ted Hardie Review Date: April 23, 2012 Summary: I believe that the draft is almost ready for publication, but that it cannot be progressed on the standards track because of its impact on the security of the email messages. I understand the reluctance of the WG to create Experimental documents at this stage, so I suggest Informational as a target status. Major Issues: The document is clear that its intent is to provide a simple-to-implement method that provides basic means for downgrading certain fields in a message. A major element of its strategy is to silently excise information which cannot be presented to the user. This may eliminate MIME parameters (see section 2.2); it may also eliminate any header field not explicitly treated (the subject field and those listed in 2.1). This, combined with the possible invalidity of signatures for signed body parts, can significantly reduce the amount of data available to the user for making a determination of whether or not a message is legitimate. Crafting a message that appeared to have already gone through this encoding also seems relatively easy, making it possible for a sender to provide a message that does not have the normal complement of data for assessment by a user. Given this major loss of information, I do not believe that this document describes an approach that should be placed on the standards track; if the working group believes this to be valuable, it should be delivered as informational. This seems also to be a better fit for the loose interoperablity strategy here: "The format of the display-name is explicitly unspecified. Anything which tells the user what happened is good. Anything which produces an email address which might belong to someone else is bad." Minor Issues: The document does not describe how it relates to the other two options the working group has discussed for downgrade. I believe it should do so in order to provide context for the choices made here. A review of the mailing list shows this message: http://www.ietf.org/mail-archive/web/ima/current/msg04539.html as kicking off the core rationale and relationship. Some form of this should be included in the document, possibly along with the "no downgrade" option. This document does not describe how the IMAP/POP downgrade choices here would impact SIEVE script processing; I believe this represents an assumption on when the downgrade takes place which should be made explicit. Nits: The document says: Given an internationalized address "Fred Foo <fred@EXAMPLE.com>", an implementation may choose to render it e.g. as these examples: "render" is seriously overloaded in this context. Would "encode" work as well here?
- [apps-discuss] Fwd: Review of draft-ietf-eai-simp… Ted Hardie
- Re: [apps-discuss] Review of draft-ietf-eai-simpl… Ted Hardie
- Re: [apps-discuss] Fwd: Review of draft-ietf-eai-… Ned Freed
- Re: [apps-discuss] Review of draft-ietf-eai-simpl… Arnt Gulbrandsen
- Re: [apps-discuss] Review of draft-ietf-eai-simpl… Arnt Gulbrandsen
- Re: [apps-discuss] Review of draft-ietf-eai-simpl… John Levine