Re: Requesting comments on draft-cheney-safe-02.txt
"Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Fri, 31 July 2009 13:54 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6VDskpF080827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 31 Jul 2009 06:54:46 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6VDsjsC080826; Fri, 31 Jul 2009 06:54:45 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mxoutps1.us.army.mil (mxoutps1.us.army.mil [143.69.250.38]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6VDsYrN080804 for <ietf-smtp@imc.org>; Fri, 31 Jul 2009 06:54:44 -0700 (MST) (envelope-from austin.cheney@us.army.mil)
DomainKey-Signature: s=ako; d=us.army.mil; c=nofws; q=dns; h=From:X-AKO:X-IronPort-AV:Received:Received:To:Cc: Message-ID:Date:X-Mailer:MIME-Version:Content-Language: Subject:X-Accept-Language:Priority:In-Reply-To:References: Content-Type:Content-Disposition: Content-Transfer-Encoding; b=P64U/8jbAN93EA+F4itkOJUoS2CRIH5DcdxzFQXUB2dX5Fmg6c+uRdHo +uqemfINUuF/tS4SIb/a2BjYL3nH6Q==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=us.army.mil; i=austin.cheney@us.army.mil; q=dns/txt; s=akodkim; t=1249048485; x=1280584485; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Cheney,=20Edward=20A=20SSG=20RES=20USAR=20USARC "=20<austin.cheney@us.army.mil>|Subject:=20Re:=20Requesti ng=20comments=20on=20draft-cheney-safe-02.txt|Date:=20Fri ,=2031=20Jul=202009=2017:54:33=20+0400|Message-ID:=20<f77 e91c9cada.4a732fd9@us.army.mil>|To:=20Hector=20Santos=20< hsantos@santronics.com>|Cc:=20"J.D.=20Falk"=20<jdfalk-lis ts@cybernothing.org>,ietf-smtp@imc.org|MIME-Version:=201. 0|Content-Transfer-Encoding:=207bit|In-Reply-To:=20<4A726 C53.4070607@santronics.com>|References:=20<f6fecbd18af7.4 a721c99@us.army.mil>=0D=0A=20<4A720D35.1000306@cybernothi ng.org>=0D=0A=20<f6e091e580a6.4a7258af@us.army.mil>=20<4A 726C53.4070607@santronics.com>; bh=vri6BE1GxlxO/YK8kooEoxP0W+sxHEFY29XzC+2msw0=; b=eq4XNCxMhdtKy32eHSIEE4giXp/5ZKU/YhcP2yXvUptjqLcxtB1jp19F ZIuM58wCcM7t0jrgJmuisimd/PZadNGK5pngzhUwItZl6NvlBi4xJSksM EBJAqToLFvVbF/AohT5beMYNmFMMMRs3JynsZfGGe83f2lPiK7l15YdS1 o=;
From: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
X-AKO: 96277566:10.224.29.21:31 Jul 2009 13:54:33 +0000:$Webmail:None
X-IronPort-AV: E=Sophos;i="4.43,303,1246838400"; d="scan'208";a="96277566"
Received: from lb2pip21.int.ps1.us.army.mil (HELO us.army.mil) ([10.224.29.21]) by mxoutps1.us.army.mil with ESMTP; 31 Jul 2009 13:54:33 +0000
Received: from [10.224.32.177] (Forwarded-For: 217.163.18.130, [10.224.32.177]) by mail15.int.ps1.us.army.mil (mshttpd); Fri, 31 Jul 2009 17:54:33 +0400
To: Hector Santos <hsantos@santronics.com>
Cc: "J.D. Falk" <jdfalk-lists@cybernothing.org>, ietf-smtp@imc.org
Message-ID: <f77e91c9cada.4a732fd9@us.army.mil>
Date: Fri, 31 Jul 2009 17:54:33 +0400
X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit)
MIME-Version: 1.0
Content-Language: en
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
X-Accept-Language: en
In-Reply-To: <4A726C53.4070607@santronics.com>
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org> <f6e091e580a6.4a7258af@us.army.mil> <4A726C53.4070607@santronics.com>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>
Hector, I must have not communicated the problem and objective clearly. The security problem only exists in the realm of the WWW. The solution to this problem, as I propose it, only exists over SMTP. The idea is to eventually abandon use of all client-side scripting on WWW in favor of an alternate secure solution that is only capable of existing over SMTP. I am not actually proposing to mix or merge HTTP and SMTP transaction states. I have not thought of such an idea, and so such might be possible but I have given no thought to how that might work. The closet to mixing protocols that I have ever thought of is to supply a URI in a markup language over email that may be either HTTP or SMTP as defined by that URI. Thanks, Austin ----- Original Message ----- From: Hector Santos <hsantos@santronics.com> Date: Friday, July 31, 2009 8:30 Subject: Re: Requesting comments on draft-cheney-safe-02.txt To: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Cc: "J.D. Falk" <jdfalk-lists@cybernothing.org>, ietf-smtp@imc.org > Do you have examples of these HTTP-based SMTP Client Side Script? > > I presume its a HTTP POST request on port 25 (or some other known > SMTP > server port) with the posted request body content containing > batched > SMTP commands? > > Off hand, I am not sure if the security concerns are SMTP related. > > -- > Hector Santos > http://www.santronics.com > > > > Cheney, Edward A SSG RES USAR USARC wrote: > > > The idea is that security vulnerabilities on the internet occur > most significantly as a result of client-side scripting from > documents transmitted across HTTP. By most significant I mean as > measured by quantity and not severity. In addition to frequent > immediate vulernabilities client-side scripting can also operate as > an execution point for other additional vulernabilities not > directly associated with client-side scripting. It is my opinion > that the only way to solve this security problem is to either break > HTTP or eliminate client-side scripting. I find there is no reason > to break HTTP since it is working perfectly well and is not to > blame for this problem. Client-side scripting cannot be removed > unless an alternative convention is proposed. > > > > It is absolutely imparitive that a solution exist as the quantity > of these security problems are continually increasing and there is > no possible solution available from HTTP. If a solution is not > proposed the security flaws of the system will become so > significant that the commerical value of financial transactions and > PII leaks will eventually result in abandoning the internet as an > open platform in favor of more secure proprietary technologies. > > > > As an alerternative method of allowing interactivity from client- > side scripting I wrote this document to migrate the concept of > client-side scripting to the email architecture. The idea is that > interactivity from client-side scripting can be replaced by > transaction interactivity. Since mail servers are intermediate > agents in the transmission, opposed to an end point like an HTTP > server, they can make processing or scripting decisions upon data > without that scripting having to exist on a client system. In > other words, it is basically an inverted form of AJAX that does not > execute on the client-side. The idea is easily possible using > SMTP, but is not possible over HTTP since HTTP does not have > intermediate agents between the client and server. > > > > Thanks, > > Austin > > > > ----- Original Message ----- > > From: "J.D. Falk" < > > Date: Friday, July 31, 2009 1:44 > > Subject: Re: Requesting comments on draft-cheney-safe-02.txt > > To: "Cheney, Edward A SSG RES USAR USARC" < > > Cc: ietf-smtp@imc.org > > > > > >> Cheney, Edward A SSG RES USAR USARC wrote: > >> > >>> I am requesting comments on the following this internet draft. Any > >>> questions, confusion, feedback, or changes would be helpful. > >>> > >>> http://tools.ietf.org/id/draft-cheney-safe-02.txt > >> Interesting idea. What's the use case you have in mind? In other > >> words: > >> who will use it, and why? > >> > >> -- > >> J.D. Falk > >> Return Path Inc > >> http://www.returnpath.net/ > > > > > > > > > > >
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Peter J. Holzer
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Alessandro Vesely
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… J.D. Falk
- Requesting comments on draft-cheney-safe-02.txt Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Steve Atkins
- Re: Requesting comments on draft-cheney-safe-02.t… Dave CROCKER
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John C Klensin
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John R Levine
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Willie Gillespie
- Re: [AKO Warning - Message fails DKIM verificatio… John Levine
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… J.D. Falk
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John C Klensin
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Robert A. Rosenberg
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Willie Gillespie
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Peter J. Holzer
- Re: Requesting comments on draft-cheney-safe-02.t… Steve Atkins
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… SM