IETF Logo Mail Archive

Re: Requesting comments on draft-cheney-safe-02.txt

"Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Fri, 31 July 2009 13:54 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6VDskpF080827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 31 Jul 2009 06:54:46 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6VDsjsC080826; Fri, 31 Jul 2009 06:54:45 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mxoutps1.us.army.mil (mxoutps1.us.army.mil [143.69.250.38]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6VDsYrN080804 for <ietf-smtp@imc.org>; Fri, 31 Jul 2009 06:54:44 -0700 (MST) (envelope-from austin.cheney@us.army.mil)
DomainKey-Signature: s=ako; d=us.army.mil; c=nofws; q=dns; h=From:X-AKO:X-IronPort-AV:Received:Received:To:Cc: Message-ID:Date:X-Mailer:MIME-Version:Content-Language: Subject:X-Accept-Language:Priority:In-Reply-To:References: Content-Type:Content-Disposition: Content-Transfer-Encoding; b=P64U/8jbAN93EA+F4itkOJUoS2CRIH5DcdxzFQXUB2dX5Fmg6c+uRdHo +uqemfINUuF/tS4SIb/a2BjYL3nH6Q==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=us.army.mil; i=austin.cheney@us.army.mil; q=dns/txt; s=akodkim; t=1249048485; x=1280584485; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Cheney,=20Edward=20A=20SSG=20RES=20USAR=20USARC "=20<austin.cheney@us.army.mil>|Subject:=20Re:=20Requesti ng=20comments=20on=20draft-cheney-safe-02.txt|Date:=20Fri ,=2031=20Jul=202009=2017:54:33=20+0400|Message-ID:=20<f77 e91c9cada.4a732fd9@us.army.mil>|To:=20Hector=20Santos=20< hsantos@santronics.com>|Cc:=20"J.D.=20Falk"=20<jdfalk-lis ts@cybernothing.org>,ietf-smtp@imc.org|MIME-Version:=201. 0|Content-Transfer-Encoding:=207bit|In-Reply-To:=20<4A726 C53.4070607@santronics.com>|References:=20<f6fecbd18af7.4 a721c99@us.army.mil>=0D=0A=20<4A720D35.1000306@cybernothi ng.org>=0D=0A=20<f6e091e580a6.4a7258af@us.army.mil>=20<4A 726C53.4070607@santronics.com>; bh=vri6BE1GxlxO/YK8kooEoxP0W+sxHEFY29XzC+2msw0=; b=eq4XNCxMhdtKy32eHSIEE4giXp/5ZKU/YhcP2yXvUptjqLcxtB1jp19F ZIuM58wCcM7t0jrgJmuisimd/PZadNGK5pngzhUwItZl6NvlBi4xJSksM EBJAqToLFvVbF/AohT5beMYNmFMMMRs3JynsZfGGe83f2lPiK7l15YdS1 o=;
From: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
X-AKO: 96277566:10.224.29.21:31 Jul 2009 13:54:33 +0000:$Webmail:None
X-IronPort-AV: E=Sophos;i="4.43,303,1246838400"; d="scan'208";a="96277566"
Received: from lb2pip21.int.ps1.us.army.mil (HELO us.army.mil) ([10.224.29.21]) by mxoutps1.us.army.mil with ESMTP; 31 Jul 2009 13:54:33 +0000
Received: from [10.224.32.177] (Forwarded-For: 217.163.18.130, [10.224.32.177]) by mail15.int.ps1.us.army.mil (mshttpd); Fri, 31 Jul 2009 17:54:33 +0400
To: Hector Santos <hsantos@santronics.com>
Cc: "J.D. Falk" <jdfalk-lists@cybernothing.org>, ietf-smtp@imc.org
Message-ID: <f77e91c9cada.4a732fd9@us.army.mil>
Date: Fri, 31 Jul 2009 17:54:33 +0400
X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit)
MIME-Version: 1.0
Content-Language: en
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
X-Accept-Language: en
In-Reply-To: <4A726C53.4070607@santronics.com>
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org> <f6e091e580a6.4a7258af@us.army.mil> <4A726C53.4070607@santronics.com>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

Hector,

I must have not communicated the problem and objective clearly.  The security problem only exists in the realm of the WWW.  The solution to this problem, as I propose it, only exists over SMTP.  The idea is to eventually abandon use of all client-side scripting on WWW in favor of an alternate secure solution that is only capable of existing over SMTP.

I am not actually proposing to mix or merge HTTP and SMTP transaction states.  I have not thought of such an idea, and so such might be possible but I have given no thought to how that might work.  The closet to mixing protocols that I have ever thought of is to supply a URI in a markup language over email that may be either HTTP or SMTP as defined by that URI.

Thanks,
Austin

----- Original Message -----
From: Hector Santos <hsantos@santronics.com>
Date: Friday, July 31, 2009 8:30
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
To: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
Cc: "J.D. Falk" <jdfalk-lists@cybernothing.org>, ietf-smtp@imc.org


> Do you have examples of these HTTP-based SMTP Client Side Script?
> 
> I presume its a HTTP POST request on port 25 (or some other known 
> SMTP 
> server port) with the posted request body content containing  
> batched 
> SMTP commands?
> 
> Off hand, I am not sure if the security concerns are SMTP related.
> 
> -- 
> Hector Santos
> http://www.santronics.com
> 
> 
> 
> Cheney, Edward A SSG RES USAR USARC wrote:
> 
> > The idea is that security vulnerabilities on the internet occur 
> most significantly as a result of client-side scripting from 
> documents transmitted across HTTP.  By most significant I mean as 
> measured by quantity and not severity.  In addition to frequent 
> immediate vulernabilities client-side scripting can also operate as 
> an execution point for other additional vulernabilities not 
> directly associated with client-side scripting.  It is my opinion 
> that the only way to solve this security problem is to either break 
> HTTP or eliminate client-side scripting.  I find there is no reason 
> to break HTTP since it is working perfectly well and is not to 
> blame for this problem.  Client-side scripting cannot be removed 
> unless an alternative convention is proposed.
> > 
> > It is absolutely imparitive that a solution exist as the quantity 
> of these security problems are continually increasing and there is 
> no possible solution available from HTTP.  If a solution is not 
> proposed the security flaws of the system will become so 
> significant that the commerical value of financial transactions and 
> PII leaks will eventually result in abandoning the internet as an 
> open platform in favor of more secure proprietary technologies.
> > 
> > As an alerternative method of allowing interactivity from client-
> side scripting I wrote this document to migrate the concept of 
> client-side scripting to the email architecture.  The idea is that 
> interactivity from client-side scripting can be replaced by 
> transaction interactivity.  Since mail servers are intermediate 
> agents in the transmission, opposed to an end point like an HTTP 
> server, they can make processing or scripting decisions upon data 
> without that scripting having to exist on a client system.  In 
> other words, it is basically an inverted form of AJAX that does not 
> execute on the client-side.  The idea is easily possible using 
> SMTP, but is not possible over HTTP since HTTP does not have 
> intermediate agents between the client and server.
> > 
> > Thanks,
> > Austin
> > 
> > ----- Original Message -----
> > From: "J.D. Falk" <
> > Date: Friday, July 31, 2009 1:44
> > Subject: Re: Requesting comments on draft-cheney-safe-02.txt
> > To: "Cheney, Edward A SSG RES USAR USARC" <
> > Cc: ietf-smtp@imc.org
> > 
> > 
> >> Cheney, Edward A SSG RES USAR USARC wrote:
> >>
> >>> I am requesting comments on the following this internet draft.  Any
> >>> questions, confusion, feedback, or changes would be helpful.
> >>>
> >>> http://tools.ietf.org/id/draft-cheney-safe-02.txt
> >> Interesting idea.  What's the use case you have in mind?  In other 
> >> words: 
> >> who will use it, and why?
> >>
> >> -- 
> >> J.D. Falk
> >> Return Path Inc
> >> http://www.returnpath.net/
> > 
> > 
> > 
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email