Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

   This document describes how the Sieve email filtering language, along
   with some extensions, can be used to create automatic replies to
   incoming electronic mail messages based on the address book and
   presence information of the recipient.

The security considerations section details many potential issues with
automated responders.  One attack that it does not mention is the
potential for using the auto-responder as an oracle, in particular if
the system is using any public key cryptographic methods.  An attacker
could, theoretically, use the auto-responder to perform timing attacks.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant