Re: [art] Review of draft-levine-herkula-oneclick
"John R Levine" <johnl@taugh.com> Tue, 08 November 2016 07:55 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29E9D1293FB for <art@ietfa.amsl.com>; Mon, 7 Nov 2016 23:55:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BIGNUM_EMAILS=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=UVi+aKG0; dkim=pass (1536-bit key) header.d=taugh.com header.b=zGHgQj/W
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJSIQLRxjUvZ for <art@ietfa.amsl.com>; Mon, 7 Nov 2016 23:55:39 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC85A1293D8 for <art@ietf.org>; Mon, 7 Nov 2016 23:55:38 -0800 (PST)
Received: (qmail 9932 invoked from network); 8 Nov 2016 07:55:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=26cb.582184fa.k1611; bh=Qh54lVExyMOA2LZhBe96J7G72E1ZKqjr4MEdcNph4fk=; b=UVi+aKG0x7HmrtsFEtYjb1jntSZcLQCfbTVmWqDyMSlMPewfiQlOH7mdQOMMeprGhDj5yxEFfEO3MWA2kGsFNnjbXhBxAEt6aLkpRbBrAxvn6Xv+rEporTuc6BMbwSk4XMa9w3x3CQncFL/ZG22/Tu43/Reh+6cXhovQuetwon34cjzY5ceFjVyiypXT0uBiafR4J1tby/GoRfiV1TcJ2DumwxebTgnscTBCbn59KxiKBUUjS8HuSKjlKxZQ8Wtd
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=26cb.582184fa.k1611; bh=Qh54lVExyMOA2LZhBe96J7G72E1ZKqjr4MEdcNph4fk=; b=zGHgQj/W45Qv3WzsRyyD9AJHPNRntFBpQo9MI0FbO0eG4Qg2hcMsKvqV70ycI3t0OsjQ/y0d84/6cIXm/6WgA/XNorPy9iyK/9B743GsO0uiYIQGQXFF5Vs8eChXnTJoZSTzF+oDzAuVfl9/WHKnuFnFy3J3X6S53jfi+JN8UryC9xwSQRweZmp4FS2cui+nWEYuiRS/Gbo3xCRYCBQ5SsbLGxmQL7KfVgCiK1+XU2lz9Nj+LyEPRoV6oF30Ie0A
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 08 Nov 2016 07:55:37 -0000
Date: Tue, 08 Nov 2016 13:25:32 +0530
Message-ID: <alpine.OSX.2.11.1611080805310.5178@ary.local>
From: John R Levine <johnl@taugh.com>
To: Martin Thomson <martin.thomson@gmail.com>
In-Reply-To: <CABkgnnXhutqsWfh+F3E+0_fRoCWHSNNeu9tbc4sfxSDHZ7c=zA@mail.gmail.com>
References: <CABkgnnXZ6a85i15SeZ1FZ=4G7xb61i0txXt2yY-kW_ti1yHQsg@mail.gmail.com> <20161106172117.6531.qmail@ary.lan> <CABkgnnXhutqsWfh+F3E+0_fRoCWHSNNeu9tbc4sfxSDHZ7c=zA@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/rT22JiAHqlFucjobfuHnezR--_c>
Cc: "gen-art@ietf.org" <art@ietf.org>, John Levine <johnl@taugh.com>
Subject: Re: [art] Review of draft-levine-herkula-oneclick
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 07:55:40 -0000
> You really need to explain that GET to the URI sometimes unsubscribes > immediately (i.e., is unsafe) and sometimes shows a confirmation page. I thought I did. We seem to agree about what it should say, I'll see if I can make it clearer. >>> value pairs MUST contain the pair "List-Unsubscribe=One-Click". > OK, now I'm really confused. Why would you waste so many octets to > send a single bit? Basically, because we want to and it doesn't hurt anything. At this stage I'd want a much stronger reason to change the running code than that it's ugly. >>> [ re URIs and ]the entropy requirement needs to be explicit. >>> 96-bits of data that cannot be predicted by an attacker should suffice. >> >> I think you're making unwarranted assumptions about the security goals >> of the people who implement this. > No, I'm not making assumptions, I'm describing what it takes to make > something secure. I would also assert that given how easy it is to do > so, it's worth doing. A list with a million names is quite large. If there were a 40 bit identifier space, you'd get one in a million tries, a 50 bit space one in a billion, and since a try requires an http transaction, they are not particularly fast. Where does 96 bits come from? Also with respect to cookies and other context, the reason -08 says not to send them is to prevent marketers from connecting the unsub to the user's previous actvities in the scenario where it's coming from an MUA. If a bad guy were scripting something and doing multiple unsub tries with the same cookies, that'd be an immediate tell. >>> #6 Section 3.1 >>> >>> The One-Click action triggered by this URI SHOULD complete promptly >>> and not burden the requester in an inappropriate way. Upon further thought, this is just wrong. Humans need a fast response since they are impatient, but computers can be arbitrarily patient. Out it goes. [ re sending the POST argument as a web form ] > Allowing mail receivers to modify the data makes this worse for the > mail sender, who has to parse this gunk. (I'm not the only one who > thinks that HTML form posting is a legacy the web could happily leave > behind.) Perhaps, but the people who are using this use web forms all the time, notably on the two-click confirmation page, so the gunk parser is already there. The libraries they use have well debugged support for forms, both sending and receiving. I can believe that in whatever library one might use there is some way to send a blob and for the receiver to fetch it back, but in my apps using frameworks like Django or Bottle, the web form arguments show up as a dictionary for free. If we were rebuilding the web from scratch, we would no doubt do this differently, but we're not. This is a small tweak to systems that use forms now. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [art] Review of draft-levine-herkula-oneclick Martin Thomson
- Re: [art] Review of draft-levine-herkula-oneclick John Levine
- Re: [art] Review of draft-levine-herkula-oneclick Martin Thomson
- Re: [art] Review of draft-levine-herkula-oneclick John R Levine