Last Modified: 2005-01-25
|Oct 04||Submit LEMONADE goals and use-cases specification to the IESG|
|Oct 04||Submit server to server notification requirements to the IESG|
|Nov 04||Submit translation to other messaging systems to the IESG|
|Nov 04||Submit IMAP/SUBMIT extensions for forward without download to IESG|
|Jan 05||Submit IMAP4 extensions for streaming multimedia to the IESG|
|Feb 05||Submit IMAP4 profile for mobile devices to the IESG|
|Mar 05||Submit server to server notification protocol to the IESG|
Minutes by Eric Burger Compiled from Jabber Log
Goals in RFC Editor Queue
Server-to-Server Notifications Needs WG Chair Write-Up for IESG
MMS Mapping Needs WG Chair Write-Up for IESG
Future Delivery and BURL needs nits review
Tool to help nits review: http://ietf.levkowetz.com/tools/idnits/idnits.pyht
- url interpretation: basic concern is "what is the base url for relatively interpretation? does it change in selected state as opposed to authenticated state?"
- if you are going to use an absolute url we have an issue of a server needing to know its own domain name and do you always want to include the username
- an absolute url without a user seems to indicate an anonymous user
- Philip Gunther: favor of changing base url in selected state
- Chris Newman: the complexity is how to deal with ".." in a relative url?
seems to be consensus for selected state changing base URL for relative urls, specifically, to "this mailbox"
Are absolute URLs allowed? is the client required to use relative URLs where possible?
- general agreement that we should force clients to use relative URLs and have a different extension for absolute URLs.
- John Klensin that disallowing absolute URLs is weird. Why have URLs at all if we can only use relative URLs?
- Chris Newman: we should require relative URLs but need to make clear that "/random/mailbox" refers to "random/mailbox"
Consensus that absolute URLs are out for this extension
";AUTH=" is also not allowed
Absolute URLs are syntactically allowed, but not supported by the CATENATE extension.
Absolute URLs get a "NO" from the server.
Same for AUTH.
Needs new draft, new Chairs say enough has changed for new WGLC
Alexey notes there are some ABNF issues with IMAP URL RFC, which he sent to Chris.,
Greg V: are requirements on server only or client, too? Consensus is requirements are on server, but document needs to give hints to client for how to use server extension.
Needs lots of work. Right now document is a tutorial. Needs to be a standards document.
EKR: Comfortable if we use same authentication method for reconnect as for initial IMAP connect. Using *only* a cookie opens up passive attack. Using cookie after authentication is OK.
Alexey & Corby: This is how Quick Reconnect works today (using cookie after full authentication).
Cyrus Daboo points out that this is needed for desktop clients, as well as mobile clients.
Edwin Aoki asks about single use schemes (e.g., SecurId). EKR says that if that is the authentication method, that is the authentication method.
Transcoding & Security
Drawing on fact that there is a possibility for the server to hand the encrypted session key to the client, the client can decrypt the session key, and hand back the key to the server, we can (1) ANNOTATE clear key to message, (2) decrypt message using session key and CATENATE message to temporary/permanent storage, (3) hand session key over for each IMAP operation.
One problem is key is part of encrypted blob. [BTW: Ned pointed out need for separate carriage of key back in early 90's.] EKR points out that key almost always lives in first 4KB of blob, so can hack extraction. Jim Shod states that API's exist for S/MIME to do separate session key extraction, session key decryption, and decryption of the message using the decrypted session key.
Will form design team to address this issue.
On the streaming issue, URLAUTH addresses the Streaming Server-IMAP Server association, so long as the Streaming Server is authenticated to the IMAP Server; can use the same mechanism a SUBMIT server authenticates with the IMAP server for forward-without-download. Normal IMAP authentication addresses the IMAP Server-IMAP Client association. Using a secure channel between the IMAP Client and Streaming Server should be OK (EKR), but Sam Hartman separately expressed concern that the association between the IMAP Client and the Streaming Server has to use the same method as the IMAP Client and IMAP Server. For example, if the IMAP login does not use certificates, then we should not require the use of certificates for the IMAP Client-Streaming Server link.
Stan Turner volunteered to participate on e2e design team.
EKR volunteered to help review specific documents.