Re: [EAI] RFC 5335
John C Klensin <john-ietf@jck.com> Wed, 20 April 2016 16:33 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ima@ietfa.amsl.com
Delivered-To: ima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A303D12E435 for <ima@ietfa.amsl.com>; Wed, 20 Apr 2016 09:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.39
X-Spam-Level:
X-Spam-Status: No, score=-1.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJlL0u7K9mB8 for <ima@ietfa.amsl.com>; Wed, 20 Apr 2016 09:33:50 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30BB112E092 for <ima@ietf.org>; Wed, 20 Apr 2016 09:33:50 -0700 (PDT)
Received: from [198.252.137.10] (helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1asv4X-000Nux-1E; Wed, 20 Apr 2016 12:33:49 -0400
Date: Wed, 20 Apr 2016 12:33:43 -0400
From: John C Klensin <john-ietf@jck.com>
To: Alan Ayres <adayres@monicals.com>
Message-ID: <AECA29E7C05D83CE9736F93A@JcK-HP8200.jck.com>
In-Reply-To: <782609480-681267200@mail.monicals.com>
References: <782609480-681267200@mail.monicals.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <http://mailarchive.ietf.org/arch/msg/ima/WSVnIDRpC-41Nyuu5DYGo_KEtF0>
Cc: ima@ietf.org
Subject: Re: [EAI] RFC 5335
X-BeenThere: ima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "EAI \(Email Address Internationalization\)" <ima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ima>, <mailto:ima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ima/>
List-Post: <mailto:ima@ietf.org>
List-Help: <mailto:ima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 16:33:51 -0000
Alan, Thanks to Cindy for forwarding this. A few comments inline below; others on the WG mailing list may have things to add. --On Tuesday, April 19, 2016 08:11 -0500 Alan Ayres <adayres@monicals.com> wrote: > From: Cindy Morgan via RT <iesg-secretary@ietf.org> > To: <adayres@monicals.com> > Sent: 4/18/2016 4:46 PM > Subject: [www.ietf.org/rt #119754] RFC 5335 > > Alan, > > You have reached the IETF Secretariat, and as such, we are not > qualified to answer your question. > > It looks like RFC 5335 was product of the Email Address > Internationalization Working Group, which concluded back in > 2013. However, the mailing list for that group is still > active, and you may have better luck if you try your question > there. The address for that mailing list is: ima@ietf.org > You may also want to note that RFC 5335 was obsoleted by RFC > 6532 <http://www.rfc-editor.org/info/rfc6532> in 2012. > > Best regards, > Cindy > > On Fri Apr 08 08:14:58 2016, adayres@monicals.com wrote: >> Recently a part by iSHERIFF titled "Office 365 Security: Why >> you need to be worried" came across my desk slamming Office >> 365. >> Per the article, a claim is made that Office 365 does not >> follow current RFC standards for email headers. I can't comment on Office 365 at all and, since I've never installed and used Outlook, have no firsthand information about how it handles non-ASCII addressing. However, it has been my impression from earlier discussions that the intent was to make it standards-conforming when it was upgraded to handle non-ASCII mailbox names. There are people on this list who are probably much more familiar with it. They may want to comment. >> The claim >> goes on to suggest that a lack of RFC 5335 exposes anyone to >> unauthorized intercept, editing and the ability to resend >> these messages with malicious content within the headers of >> the message. As you appear to be an authority of RFC 5335, I >> was hoping you would add your input to these claims as >> pertaining to RFC 5335. First of all, RFC 5335 was an Experimental specification, published to gain experience with the idea of non-ASCII email addresses and headers. I was never a standard of any type and anyone complaining about non-conformance to it has, at best, a fundamental misunderstanding about the relationships involved. The standard most closely related to 5335 is, as Cindy mentioned, RFC 6532. I recommend reading RFC 6530 as well and probably first. Second, I don't understand the attack model in the claims you describe. The SMTPUTF8 work is rather carefully designed to ensure that messages with non-ASCII addresses (mailbox names) or headers that do not conform to the ASCII limitations of RFC 5322 are never delivered to systems that do not support them. If those rules, described in RFC 6530 and 6531, are followed, then a system that lacks adequate support would never see such a message, much less be in a position to resend as you indicate. I don't remember, but it may be that the model of RFC 5335 could create such a vunerability -- the major difference between the earlier experimental work and the standards track documents is that the earlier work included provisions for trying to rewrite addresses and messages to allow them to go through in an ASCII-only environment while the standards recognize that such attempts are likely to cause far more problems than they solve -- but the standards, AFAIK, do not. Of course, partial implementations that allow non-ASCII addresses or headers without conforming to the standards could get themselves into all sorts of trouble, but that is true of email headers and transmission generally. If "iSHERIFF" thinks that there are attack vectors for implementations of the standards specified in RFC 6530 - 6533, it would be good if he or she would get on this list and explain them. No one really cares about RFC 5335 any more. --john (For identification, Former Co-Chair of the IMA WG, co-author RFC 6530, editor RFC 5321)
- Re: [EAI] RFC 5335 John C Klensin
- [EAI] RFC 5335 Alan Ayres
- Re: [EAI] RFC 5335 ned+ima
- Re: [EAI] RFC 5335 Shawn Steele
- Re: [EAI] RFC 5335 Randall Gellens
- Re: [EAI] RFC 5335 Franck Martin