IETF Logo Mail Archive

Re: objections, again

"D. J. Bernstein" <djb@koobera.math.uic.edu> Sun, 03 August 1997 23:13 UTC

Received: from cnri by ietf.org id aa13784; 3 Aug 97 19:13 EDT
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by cnri.reston.va.us (8.8.5/8.7.3) with ESMTPid TAA07630; Sun, 3 Aug 1997 19:12:04 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.5/8.7.3) id PAA14805 for ietf-822-bks; Sun, 3 Aug 1997 15:52:54 -0700 (PDT)
Received: from koobera.math.uic.edu (qmailr@koobera.math.uic.edu [131.193.178.247]) by mail.proper.com (8.8.5/8.7.3) with SMTP id PAA14801 for <ietf-822@imc.org>; Sun, 3 Aug 1997 15:52:49 -0700 (PDT)
Received: (qmail 6451 invoked by uid 666); 3 Aug 1997 22:57:24 -0000
Date: Sun, 03 Aug 1997 22:57:24 -0000
Message-ID: <19970803225724.6450.qmail@koobera.math.uic.edu>
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
To: ietf-822@imc.org
Subject: Re: objections, again
Sender: owner-ietf-822@imc.org
Precedence: bulk

> it can still be configured to handle them.

How?

Consider, for example, the following two accounts (names changed to
protect the innocent):

   widget@foo.com
   widget+x@foo.com

These are project accounts for completely different groups.

According to your proposal, mail for widget+x MUST be delivered to
widget by default, except that widget MAY be allowed to reconfigure the
delivery.

Now you seem to be claiming that software can be configured to do

   widget+(x+*) -> (widget+x)+*

Is that capability required by your document? Yes, qmail could pull
this sort of trick even if it didn't do the right thing by default, but
what about other MTAs?

More importantly, your rules violate foo.com's security policy.

It is unacceptable for the widget people to receive the widget+x mail.

It is unacceptable for the widget people to control the widget+x mail.

Do these people have to change their e-mail addresses when they install
your ``compliant'' software?

  [ -request vs. the artificially inconsistent ``+'' separator ]
> However, it is naming hierarchy rather than subaddressing and it uses a
> different separator.

I'm still waiting for an answer to my question on this topic: Is it
widget-request or widget+request?

> Therefore there is no inconsistancy. 

Answer the question.

> The keywords are used to get interoperation between

How can ``MUST do X by default'' be required for interoperation? X isn't
even required! It's indistinguishable from ``MUST NOT do X by default''
from an interoperability perspective. Other software can't rely on X and
can't rely on not-X.

> >    * Chris's syntax requirements prohibit MUAs from sending mail to
> >      some valid addresses.
> Only when using subaddresses.

The point remains: Your rules prohibit MUAs from sending mail to some
valid addresses.

> >    * Chris's syntax requirements produce misdirected mail for _all_
> >      quoted addresses when the MTA handles quoting correctly (as, e.g.,
> >      MMDF does).
> I see no reason why.  Please explain.

When your MUA replies to

   From: "a,b+c"@d.e

it will incorrectly pass "a,b+c"@d.e to the MTA.

The address is actually a,b+c@d.e. It can be _encoded_ as "a,b+c"@d.e
under RFC 821 and RFC 822, but the quotes are not part of the address.

The incorrect address will work with sendmail, but that doesn't make it
right. sendmail violates the quoting rules in RFC 821 and RFC 822.

It's much better in practice for the MUA to avoid address parsing. The
MTA's submission agent can take care of it.

> >    * Chris's validation restriction is bizarre.
> This is not a technical complaint and thus has no merit.

Amusing---your previous response to this criticism was ``good point.''

Let me rephrase. Your validation restriction has so many obviously wrong
effects that it can't possibly be what you meant. It is, like your many
unclear requirements, a result of bad writing; the fact that it's clear
is merely an accident.

> But this is
> not a real security issue as anyone can generate email from "a", "a+b" or 
> "a+c" regardless.

Wrong.

I've seen a list that, before calling the MLM software, invokes PGP to
verify that the message is PGP-signed by the sender. The MLM then checks
the sender address against the subscription list. Subscribers have to be
preapproved (though there are some open sublists for lurkers).

Your requirement destroys this security mechanism. An attacker takes an
approved ``joe@isp.net'' address and registers a ``joe+haha@isp.net''
PGP key; PGP is satisfied; but an MLM following your rules has to ignore
the +haha when it's checking the address.

Your denial of this security issue is despicable.

> >    * Chris's MLM requirement prohibits cryptographic applications of
> >      subaddresses.
> How does the MLM requirement conflict with RFC 2015?

I said ``cryptographic applications of subaddresses,'' not ``RFC 2015.''
I already gave cookies as an example. It's a _different_ mechanism, see?

  [ proposal is not the de facto standard ]
> Thus I have previously agreed to alter the wording.

Inadequate. Your use of the term ``subaddressing'' is still deceptive.
Choose a phrase that accurately identifies your subaddressing system,
such as ``The AMS Subaddressing System.''

> Out of curiosity, which MTAs other than qmail support your flavor of
> subaddressing?

Do you mean using dash as a separator, or the more advanced features?

Reportedly both sendmail and exim can be configured to handle dash.

MMDF, the only popular MTA that has had this feature for a long time,
appears to break addresses at "=", "/", or "|"; not configurable.

On the MUA side, apparently mutt, elm, trn, slrn, nn, gnus, knews, and
mh allow the user to configure arbitrary From addresses. (Of course,
qmail can set the From even if the MUA doesn't.)

> And I was surprised to find that Pine
> supported the user-validation subaddressing feature.

Which version? Where is this documented? Are you sure you haven't been
surprised by a local hack?

---Dan
Set up a new mailing list in a single command. http://pobox.com/~djb/ezmlm.html

v2.23.0 | Report a Bug | By Email