Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft-gulbrandsen-imap-response-codes-07.txt to Proposed Standard
Joel Jaeggli <joelja@bogus.com> Wed, 11 March 2009 20:21 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: aaa-doctors@core3.amsl.com
Delivered-To: aaa-doctors@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7FD828C1C7; Wed, 11 Mar 2009 13:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYZXr-7dC4Hv; Wed, 11 Mar 2009 13:21:25 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 48C6F28C18E; Wed, 11 Mar 2009 13:21:25 -0700 (PDT)
Received: from [192.103.16.144] ([192.103.16.144]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n2BKLuAJ034644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Mar 2009 20:21:56 GMT (envelope-from joelja@bogus.com)
Message-ID: <49B81D55.7030009@bogus.com>
Date: Wed, 11 Mar 2009 13:21:41 -0700
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
References: <EDC652A26FB23C4EB6384A4584434A04014D46B3@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A04014D46B3@307622ANEX5.global.avaya.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/9093/Wed Mar 11 15:32:37 2009 on nagasaki.bogus.com
X-Virus-Status: Clean
X-Mailman-Approved-At: Thu, 12 Mar 2009 03:59:40 -0700
Cc: aaa-doctors@ietf.org, ops-dir@ietf.org
Subject: Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft-gulbrandsen-imap-response-codes-07.txt to Proposed Standard
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 20:21:26 -0000
The security considerations note: Revealing information about a passphrase to unauthenticated IMAP clients has bad karma. I'd say it's worse than that, notably: AUTHENTICATIONFAILED doesn't reveal that much that can't already be concluded. AUTHENTICATIONFAILED Authentication failed for some reason which the server is not willing to elaborate. Typically this includes "unknown user" and "bad password". This is the same as not sending any response code, except that when a client sees AUTHENTICATIONFAILED, it knows that the problem wasn't e.g. UNAVAILABLE, so there's no point in trying the same login/password again later. C: b LOGIN "fred" "foo" S: b NO [AUTHENTICATIONFAILED] Authentication failed AUTHORIZATIONFAILED reveals that the identity is valid. The results can be used to reduce the search space for the currently in vogue brute force attempts considerably. Assuming some kind of congruence between username and email address it can also be used as a brute force address harvesting mechanism, or to generate more information about the users on a potential target. AUTHORIZATIONFAILED Authentication succeeded, but authorization failed. This is only applicable when the authentication and authorization identities are different. C: c AUTHENTICATE PLAIN [...] S: c NO [AUTHORIZATIONFAILED] No such auth-ID Expired on the other hand only reveals information to possessors of valid credentials. EXPIRED Authentication succeeded or the server didn't have the necessary data any more, but access is no longer permitted using that passphrase. The client or user should get a new passphrase. C: d login "fred" "foo" S: d NO [EXPIRED] That password isn't valid any more Romascanu, Dan (Dan) wrote: > > > > > A URL of this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-gulbrandsen-imap-response-code > s-07.txt' > > Technical Summary > > IMAP responses consist of a response type (OK, NO, BAD), an optional > machine-readable response code and a human-readable text. > > This document collects and documents a variety of machine-readable > response codes, for better interoperation and error reporting. > > Working Group Summary > > This is not a WG document. > Nothing worth reporting. > > Document Quality > > The document was extensively reviewed by both IMAP client and > server implementors. There are already several implementations > of this document. > > At least 10 people have reviewed the document. Majority of posted > comments were addressed in the latest revision. > > Personnel > > Alexey Melnikov <alexey.melnikov@isode.com> is the document shepherd > for this document. Chris Newman has reviewed this document for the > IESG. > > Note to RFC Editor > > [pending text for secdir review, possibly for IANA question] > > > > > > > _______________________________________________ > OPS-DIR mailing list > OPS-DIR@ietf.org > https://www.ietf.org/mailman/listinfo/ops-dir >
- [AAA-DOCTORS] FW: Evaluation: draft-gulbrandsen-i… Romascanu, Dan (Dan)
- Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft… Joel Jaeggli