Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft-gulbrandsen-imap-response-codes-07.txt to Proposed Standard
Joel Jaeggli <joelja@bogus.com> Wed, 11 March 2009 20:21 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: aaa-doctors@core3.amsl.com
Delivered-To: aaa-doctors@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7FD828C1C7; Wed, 11 Mar 2009 13:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYZXr-7dC4Hv; Wed, 11 Mar 2009 13:21:25 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 48C6F28C18E; Wed, 11 Mar 2009 13:21:25 -0700 (PDT)
Received: from [192.103.16.144] ([192.103.16.144]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n2BKLuAJ034644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Mar 2009 20:21:56 GMT (envelope-from joelja@bogus.com)
Message-ID: <49B81D55.7030009@bogus.com>
Date: Wed, 11 Mar 2009 13:21:41 -0700
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
References: <EDC652A26FB23C4EB6384A4584434A04014D46B3@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A04014D46B3@307622ANEX5.global.avaya.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/9093/Wed Mar 11 15:32:37 2009 on nagasaki.bogus.com
X-Virus-Status: Clean
X-Mailman-Approved-At: Thu, 12 Mar 2009 03:59:40 -0700
Cc: aaa-doctors@ietf.org, ops-dir@ietf.org
Subject: Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft-gulbrandsen-imap-response-codes-07.txt to Proposed Standard
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 20:21:26 -0000
The security considerations note:
Revealing information about a passphrase to unauthenticated IMAP
clients has bad karma.
I'd say it's worse than that, notably:
AUTHENTICATIONFAILED doesn't reveal that much that can't already be
concluded.
AUTHENTICATIONFAILED Authentication failed for some reason which the
server is not willing to elaborate. Typically this
includes "unknown user" and "bad password".
This is the same as not sending any response code, except
that when a client sees AUTHENTICATIONFAILED, it knows
that the problem wasn't e.g. UNAVAILABLE, so there's no
point in trying the same login/password again later.
C: b LOGIN "fred" "foo"
S: b NO [AUTHENTICATIONFAILED] Authentication failed
AUTHORIZATIONFAILED reveals that the identity is valid. The results can
be used to reduce the search space for the currently in vogue brute
force attempts considerably. Assuming some kind of congruence between
username and email address it can also be used as a brute force address
harvesting mechanism, or to generate more information about the users on
a potential target.
AUTHORIZATIONFAILED Authentication succeeded, but authorization
failed. This is only applicable when the authentication
and authorization identities are different.
C: c AUTHENTICATE PLAIN
[...]
S: c NO [AUTHORIZATIONFAILED] No such auth-ID
Expired on the other hand only reveals information to possessors of
valid credentials.
EXPIRED Authentication succeeded or the server didn't have the
necessary data any more, but access is no longer
permitted using that passphrase. The client or user
should get a new passphrase.
C: d login "fred" "foo"
S: d NO [EXPIRED] That password isn't valid any more
Romascanu, Dan (Dan) wrote:
>
>
>
>
> A URL of this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-gulbrandsen-imap-response-code
> s-07.txt'
>
> Technical Summary
>
> IMAP responses consist of a response type (OK, NO, BAD), an optional
> machine-readable response code and a human-readable text.
>
> This document collects and documents a variety of machine-readable
> response codes, for better interoperation and error reporting.
>
> Working Group Summary
>
> This is not a WG document.
> Nothing worth reporting.
>
> Document Quality
>
> The document was extensively reviewed by both IMAP client and
> server implementors. There are already several implementations
> of this document.
>
> At least 10 people have reviewed the document. Majority of posted
> comments were addressed in the latest revision.
>
> Personnel
>
> Alexey Melnikov <alexey.melnikov@isode.com> is the document shepherd
> for this document. Chris Newman has reviewed this document for the
> IESG.
>
> Note to RFC Editor
>
> [pending text for secdir review, possibly for IANA question]
>
>
>
>
>
>
> _______________________________________________
> OPS-DIR mailing list
> OPS-DIR@ietf.org
> https://www.ietf.org/mailman/listinfo/ops-dir
>
- [AAA-DOCTORS] FW: Evaluation: draft-gulbrandsen-i… Romascanu, Dan (Dan)
- Re: [AAA-DOCTORS] [OPS-DIR] FW: Evaluation: draft… Joel Jaeggli