IETF Logo Mail Archive

Re: Requesting comments on draft-cheney-safe-02.txt

"Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Thu, 30 July 2009 22:36 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6UMahgp015861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Jul 2009 15:36:43 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6UMahjq015860; Thu, 30 Jul 2009 15:36:43 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mxoutps1.us.army.mil (mxoutps1.us.army.mil [143.69.250.38]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6UMaWae015848 for <ietf-smtp@imc.org>; Thu, 30 Jul 2009 15:36:42 -0700 (MST) (envelope-from austin.cheney@us.army.mil)
DomainKey-Signature: s=ako; d=us.army.mil; c=nofws; q=dns; h=From:X-AKO:X-IronPort-AV:Received:Received:To:Cc: Message-ID:Date:X-Mailer:MIME-Version:Content-Language: Subject:X-Accept-Language:Priority:In-Reply-To:References: Content-Type:Content-Disposition: Content-Transfer-Encoding; b=sUdoqI8lSF89NG/1+9melR9D2f8a3fT1IeSbU5SAx+jH7+jySydJLFoD S9kAGdq1ErJFxVHxGH38AcaSacehQg==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=us.army.mil; i=austin.cheney@us.army.mil; q=dns/txt; s=akodkim; t=1248993402; x=1280529402; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Cheney,=20Edward=20A=20SSG=20RES=20USAR=20USARC "=20<austin.cheney@us.army.mil>|Subject:=20Re:=20Requesti ng=20comments=20on=20draft-cheney-safe-02.txt|Date:=20Fri ,=2031=20Jul=202009=2002:36:31=20+0400|Message-ID:=20<f6e 091e580a6.4a7258af@us.army.mil>|To:=20"J.D.=20Falk"=20<jd falk-lists@cybernothing.org>|Cc:=20ietf-smtp@imc.org |MIME-Version:=201.0|Content-Transfer-Encoding:=207bit |In-Reply-To:=20<4A720D35.1000306@cybernothing.org> |References:=20<f6fecbd18af7.4a721c99@us.army.mil>=0D=0A =20<4A720D35.1000306@cybernothing.org>; bh=LuIRZpuObLwlUoNvoS82sKLAHvquXbvEKpSSPS7bNjU=; b=ZZmCbMw5xwg68lYLp6Mri+2nPZ1KKRZzlsvSjD3E5/ZI5IiQ8OQhr4WS 4UWmgg+BgLmghYECo0O7i9ZUTCWJM+kxkm7x9OnD9NhQpEqsJovOnLcOI Tm2v8SSzlYW6FoxQsjAtg1KUNpMYQJNkmd62/+zNXXnvxjgYZE+xgfsWG E=;
From: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
X-AKO: 96296545:10.224.29.21:30 Jul 2009 22:36:31 +0000:$Webmail:None
X-IronPort-AV: E=Sophos;i="4.43,297,1246838400"; d="scan'208";a="96296545"
Received: from lb2pip21.int.ps1.us.army.mil (HELO us.army.mil) ([10.224.29.21]) by mxoutps1.us.army.mil with ESMTP; 30 Jul 2009 22:36:31 +0000
Received: from [10.101.32.171] (Forwarded-For: 214.13.18.32, [10.101.32.171]) by mail15.int.ps1.us.army.mil (mshttpd); Fri, 31 Jul 2009 02:36:31 +0400
To: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Cc: ietf-smtp@imc.org
Message-ID: <f6e091e580a6.4a7258af@us.army.mil>
Date: Fri, 31 Jul 2009 02:36:31 +0400
X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit)
MIME-Version: 1.0
Content-Language: en
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
X-Accept-Language: en
In-Reply-To: <4A720D35.1000306@cybernothing.org>
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

The idea is that security vulnerabilities on the internet occur most significantly as a result of client-side scripting from documents transmitted across HTTP.  By most significant I mean as measured by quantity and not severity.  In addition to frequent immediate vulernabilities client-side scripting can also operate as an execution point for other additional vulernabilities not directly associated with client-side scripting.  It is my opinion that the only way to solve this security problem is to either break HTTP or eliminate client-side scripting.  I find there is no reason to break HTTP since it is working perfectly well and is not to blame for this problem.  Client-side scripting cannot be removed unless an alternative convention is proposed.

It is absolutely imparitive that a solution exist as the quantity of these security problems are continually increasing and there is no possible solution available from HTTP.  If a solution is not proposed the security flaws of the system will become so significant that the commerical value of financial transactions and PII leaks will eventually result in abandoning the internet as an open platform in favor of more secure proprietary technologies.

As an alerternative method of allowing interactivity from client-side scripting I wrote this document to migrate the concept of client-side scripting to the email architecture.  The idea is that interactivity from client-side scripting can be replaced by transaction interactivity.  Since mail servers are intermediate agents in the transmission, opposed to an end point like an HTTP server, they can make processing or scripting decisions upon data without that scripting having to exist on a client system.  In other words, it is basically an inverted form of AJAX that does not execute on the client-side.  The idea is easily possible using SMTP, but is not possible over HTTP since HTTP does not have intermediate agents between the client and server.

Thanks,
Austin

----- Original Message -----
From: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Date: Friday, July 31, 2009 1:44
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
To: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
Cc: ietf-smtp@imc.org


> Cheney, Edward A SSG RES USAR USARC wrote:
> 
> > I am requesting comments on the following this internet draft.  Any
> > questions, confusion, feedback, or changes would be helpful.
> >
> > http://tools.ietf.org/id/draft-cheney-safe-02.txt
> 
> Interesting idea.  What's the use case you have in mind?  In other 
> words: 
> who will use it, and why?
> 
> -- 
> J.D. Falk
> Return Path Inc
> http://www.returnpath.net/

v2.23.0 | Report a Bug | By Email