Re: [Gen-art] Genart telechat review of draft-ietf-uta-smtp-tlsrpt-18
Alissa Cooper <alissa@cooperw.in> Thu, 19 April 2018 01:41 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 554B812711A; Wed, 18 Apr 2018 18:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=og656aCn; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YQvr3ZuM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoWKJTlUU8KQ; Wed, 18 Apr 2018 18:41:42 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D790126C89; Wed, 18 Apr 2018 18:41:42 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id F122E21CCB; Wed, 18 Apr 2018 21:41:41 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Wed, 18 Apr 2018 21:41:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=w5XRpIkeoB5T6vgujjXG3ICJhzQWh WMAERkqQGmnUVw=; b=og656aCn8h029u+zHpCkkEHXybCjTJ4M+t7knDoT7zwL3 jie1HiMpYnpw1r51QxIXdf2FQ58Rhxt/9+OxNwxrtQLw9GpONtrjuAMmQCyiGsew GMn5sXgX/GC6KQmBVLnBMbDYQBGkb48IhAJPEvM17VqTdUOJvjMrNyftFSXYc0CQ O+s/ahNbKSFF8fa1U8G3tRxVx7UEO9jmko2g7+LxLJELVGzgx/YRc10jCUcMotgr AibcVKJZJLcDREcFvnHqqPSreWtQvQyzw/7hr8vddboAUQ4JL8edtdcAcZeEmDLl XKBJ6W9KBPJmAbuKDukafJaAiLr3QfE4Hwb5GjotQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=w5XRpI keoB5T6vgujjXG3ICJhzQWhWMAERkqQGmnUVw=; b=YQvr3ZuMsFWMdUSdOfH5FV zRJ70a/wZ6Cvaf/HWK3ZA2+4Hk7dGedGVaVWrOECis+n3vJd/Yfb7Kvb8RpQGnOw euISGXs8NEp11jjVC56ZuBjSx//M9IDGRkk8W43K8Qc6gNEMpYrlnl78VMuQ0+PT /jvzige5B6Ha+XV3W0sMpJjs9NEQizK1Oc73olxfoc3kX/mxVQtUhaQuzQWkPXQv qIGu+IFU9C2iSnT58PjQgDeX76vm4qRlbkqhmfK2sCEnfPGZeb3sNPwqH3tWpMCS 39zsWP1A6Y5zdTNM8B0Ed1Nb3kCgW+oFuI/5CnLMT5eX6Arap2eFhoZupr/eSGTQ ==
X-ME-Sender: <xms:1fPXWuwRVhD4smnbWd0z7FVsB515Ph3ooz4gwA-Awwne5ZeUurZMcA>
Received: from rtp-alcoop-nitro2.cisco.com (unknown [173.38.117.67]) by mail.messagingengine.com (Postfix) with ESMTPA id 8CACBE4122; Wed, 18 Apr 2018 21:41:41 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <152293620742.25921.15349241552991574638@ietfa.amsl.com>
Date: Wed, 18 Apr 2018 21:41:41 -0400
Cc: IETF Gen-ART <gen-art@ietf.org>, uta@ietf.org, draft-ietf-uta-smtp-tlsrpt.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C08E4F5-0A11-4DE5-9DC8-42CDBCB04C27@cooperw.in>
References: <152293620742.25921.15349241552991574638@ietfa.amsl.com>
To: Joel Halpern <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/KEt_fAmWnDcZ7E9CVAxLm7MwM0o>
Subject: Re: [Gen-art] Genart telechat review of draft-ietf-uta-smtp-tlsrpt-18
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2018 01:41:44 -0000
Joel, thanks for your review. From the thread about Ben’s DISCUSS it looks like text to clarify the point about ignoring certificate validation errors may be forthcoming. I have noted this in my No Objection ballot and asked the authors to review your other points. Alissa > On Apr 5, 2018, at 9:50 AM, Joel Halpern <jmh@joelhalpern.com> wrote: > > Reviewer: Joel Halpern > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-uta-smtp-tlsrpt-18 > Reviewer: Joel Halpern > Review Date: 2018-04-05 > IETF LC End Date: 2018-04-02 > IESG Telechat date: 2018-04-19 > > Summary: This document is ready for publication as a Proposed Standard RFC > My thanks to the authors for addressing my major concerns and most of my > minor concerns. > > Major issues: > > Minor issues: > There are several areas where the document would be helped by better > explanations. From my previous review: > > Section 3, bullet 3, says that submitters using POST can ignore certificate > validation errors when using https. That seems to undermine the usage of > https. As such, I would expect to at least see some explanation of when > and why ignoring such errors is appropriate. > > It is surprising in Section 3 Bullet 4 that reporting via email requires > that the report submitted use DKIM. Particularly while ignoring any > security errors in communicating with the recipient domain. > > In the formal definition of the txt record, shouldn't the URI format also > indicate that semicolon needs to be encoded? > > Section 5.1 defines a report filename. This is probably a naive question, > but what is that for? If using HTTPS, the earlier text says that the POST > operation goes to the target URI from the txt record. When using email, > there is no apparent need for a filename. > > Most of the security risks described in the Security section (7) do not > seem to have any mitigation. Should there not be some explanation why > deployment is acceptable with these risks? > > Nits/editorial comments: > > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Genart telechat review of draft-ietf-ut… Joel Halpern
- Re: [Gen-art] Genart telechat review of draft-iet… Daniel Margolis
- Re: [Gen-art] Genart telechat review of draft-iet… Alissa Cooper