[ietf-privacy] PPM Review of RFC 5068

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 20 May 2014 09:33 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB6DA1A05C3 for <ietf-privacy@ietfa.amsl.com>; Tue, 20 May 2014 02:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbzZko1FtVz1 for <ietf-privacy@ietfa.amsl.com>; Tue, 20 May 2014 02:33:47 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id C69E21A059F for <ietf-privacy@ietf.org>; Tue, 20 May 2014 02:33:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 003B4BE57 for <ietf-privacy@ietf.org>; Tue, 20 May 2014 10:33:46 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQvB8+9mO8C0 for <ietf-privacy@ietf.org>; Tue, 20 May 2014 10:33:46 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D7F3ABE50 for <ietf-privacy@ietf.org>; Tue, 20 May 2014 10:33:46 +0100 (IST)
Message-ID: <537B217B.8070605@cs.tcd.ie>
Date: Tue, 20 May 2014 10:33:47 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: ietf-privacy@ietf.org
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-privacy/lC7BSevfU2IynS-4ajoRmDVWWHU
Subject: [ietf-privacy] PPM Review of RFC 5068
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 09:33:49 -0000

Trying to eat my own dog food, I drew this one...

- I guess this could be updated to say "don't offer an MSA that ever
allows for cleartext submission" but UTA will probably get to that.

- Section 4 does actually mention privacy which is good!

- I also generally dislike how MUAs ask for both username and password
before they do MSA discovery - I always worry that the MUA is liable to
be sending those to the n/w insecurely, so maybe a BCP could suggest
something there.

- Not sure if RFC4954 is still something we'd recommend (but I didn't
read it, so maybe it is), seems like TLS is the right thing today for this.