IETF Logo Mail Archive

[yam] [Fwd: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03]

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 03 March 2010 12:09 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9F163A8DA2 for <yam@core3.amsl.com>; Wed, 3 Mar 2010 04:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.741
X-Spam-Level:
X-Spam-Status: No, score=-2.741 tagged_above=-999 required=5 tests=[AWL=-0.143, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbrywPmAZ1cp for <yam@core3.amsl.com>; Wed, 3 Mar 2010 04:09:25 -0800 (PST)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 5209A3A8DA1 for <yam@ietf.org>; Wed, 3 Mar 2010 04:09:25 -0800 (PST)
Received: from [172.16.2.136] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <S45RcwAu7r4B@rufus.isode.com>; Wed, 3 Mar 2010 12:09:24 +0000
Message-ID: <4B8E515A.6060608@isode.com>
Date: Wed, 03 Mar 2010 12:08:58 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: yam@ietf.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------050904050008000408040900"
Subject: [yam] [Fwd: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03]
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 12:09:26 -0000



      
          

--- Begin Message ---
      
          
I reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This is a very, very brief document that is targeted to obsolete RFC 
1652. It addresses transport of 8-bit (vs. ASCII) data via SMTP, 
consistent with carriage of MIME 8BIT content encoding. This document 
is part of the YAM effort, updating the series of Internet email 
standards.

The security considerations section consists of only one sentence: 
"This RFC does not discuss security issues and is not believed to 
raise any security issues not already endemic in electronic mail and 
present in fully conforming implementations of [RFC5321]." RFC 5321 
(the updated SMTP spec) has an extensive security considerations 
section, so this is a reasonable reference. I could imagine security 
issues that might be associated with this document vs. 5321, since 
the security section of the latter document does not address any 
security concerns related to transfer of 8-bit data. For example, the 
handshake used to determine whether an SMTP sever support 
receipt/relay of 8-bit data might be used to target servers based on 
the lack of such support. One might even cite the use of this 
transport capability as facilitating malware transmission in e-mail 
attachments :.


      
          
_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir



      
          --- End Message ---


      
          

--- Begin Message ---
      
          
Hi Stephen,

Stephen Kent wrote:
 [...]

> The security considerations section consists of only one sentence: 
> "This RFC does not discuss security issues and is not believed to 
> raise any security issues not already endemic in electronic mail and 
> present in fully conforming implementations of [RFC5321]." RFC 5321 
> (the updated SMTP spec) has an extensive security considerations 
> section, so this is a reasonable reference. I could imagine security 
> issues that might be associated with this document vs. 5321, since the 
> security section of the latter document does not address any security 
> concerns related to transfer of 8-bit data. For example, the handshake 
> used to determine whether an SMTP sever support receipt/relay of 8-bit 
> data might be used to target servers based on the lack of such support.

Can you elaborate of your concern hear?
If you can suggest some text, that would be perfect.

> One might even cite the use of this transport capability as 
> facilitating malware transmission in e-mail attachments.

Does it?




      
          --- End Message ---


      
    

    

      
    


 




            


        



      
 


      

        
      

          
    
 

    


 

    



    






    

    


    
  
    
  

      
v2.23.0 | Report a Bug | By Email