IETF Logo Mail Archive

RE: Further IESG feedback on draft-crispin-imapv-17.txt

"Larry Osterman" <larryo@exchange.MICROSOFT.com> Fri, 20 September 2002 20:59 UTC

Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g8KKxUa07777 for ietf-imapext-bks; Fri, 20 Sep 2002 13:59:30 -0700 (PDT)
Received: from df-inet1.exchange.microsoft.com (df-inet1.exchange.microsoft.com [131.107.8.8]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8KKxSk07772 for <ietf-imapext@imc.org>; Fri, 20 Sep 2002 13:59:29 -0700 (PDT)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by df-inet1.exchange.microsoft.com with Microsoft SMTPSVC(5.0.2195.5255); Fri, 20 Sep 2002 13:59:40 -0700
Received: from 10.197.0.60 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 20 Sep 2002 13:58:56 -0700
Received: from DF-BOWWOW.platinum.corp.microsoft.com ([10.197.1.20]) by DF-YURI.platinum.corp.microsoft.com with Microsoft SMTPSVC(6.0.3663.0); Fri, 20 Sep 2002 13:59:01 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Further IESG feedback on draft-crispin-imapv-17.txt
Date: Fri, 20 Sep 2002 13:59:01 -0700
Message-ID: <72C5FDA4D9CC3045B80EA1B76DB86A99ED2CC0@DF-BOWWOW.platinum.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Further IESG feedback on draft-crispin-imapv-17.txt
thread-index: AcJg4+Uwrdc83E0XQKq28Ttoijm/UgABI5lg
From: Larry Osterman <larryo@exchange.MICROSOFT.com>
To: Mark Crispin <MRC@cac.washington.edu>, ned.freed@mrochek.com
Cc: IMAP Mailing List <imap@u.washington.edu>, IMAP Extensions WG <ietf-imapext@imc.org>, ned.freed@mrochek.com, paf@cisco.com, jis@mit.edu
X-OriginalArrivalTime: 20 Sep 2002 20:59:01.0529 (UTC) FILETIME=[8BE19090:01C260E8]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g8KKxTk07773
Sender: owner-ietf-imapext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-imapext/mail-archive/>
List-ID: <ietf-imapext.imc.org>
List-Unsubscribe: <mailto:ietf-imapext-request@imc.org?body=unsubscribe>

What's the standards track status on IMAP-TLS?  Won't citing it as a
reference tie the base standard to a subsidiary standard?  Other than
that nit, I personally like the wording.


Larry Osterman 



-----Original Message-----
From: Mark Crispin [mailto:MRC@cac.washington.edu] 
Sent: Friday, September 20, 2002 1:18 PM
To: ned.freed@mrochek.com
Cc: IMAP Mailing List; IMAP Extensions WG; ned.freed@mrochek.com;
paf@cisco.com; jis@mit.edu
Subject: re: Further IESG feedback on draft-crispin-imapv-17.txt



OK, here is what I have for draft 18, based upon all the comments which
I have read.  Please try to give me feedback on whether or not this is
will be acceptable to the IESG as soon as possible.  I'd like to send
draft 18 by the end of the day today and hopefully not need a draft 19.

In AUTHENTICATE command, change:

           Note: a server implementation SHOULD NOT permit any
           plaintext password mechanisms unless the STARTTLS
           command described in [IMAP-TLS] has been negotiated.
           Client and server implementations SHOULD implement
           additional SASL mechanisms which do not use plaintext
           passwords, such the GSSAPI mechanism described in [SASL]
           and/or the [DIGEST-MD5] mechanism.

to:

           Note: a server implementation MUST implement a
           configuration in which it does NOT permit any plaintext
           password mechanisms, unless either the STARTTLS command
           described in [IMAP-TLS] has been negotiated or some other
           mechanism that protects the session from password
           snooping has been provided.  Server sites SHOULD NOT use
           any configuration which permits a plaintext password
           mechanism without such a protection mechanism against
           password snooping.  Client and server implementations
           SHOULD implement additional SASL mechanisms which do not
           use plaintext passwords, such the GSSAPI mechanism
           described in [SASL] and/or the [DIGEST-MD5] mechanism.


In LOGIN command, add:

        A server implementation MUST implement a configuration in
        which it advertises the LOGINDISABLED capability described
        in [IMAP-TLS] and does NOT permit the LOGIN command, unless
        either the STARTTLS command described in [IMAP-TLS] has
        been negotiated or some other mechanism that protects the
        session from password snooping has been provided.  Server
        sites SHOULD NOT use any configuration which permits the
        LOGIN command without such a protection mechanism against
        password snooping.  A client implementation MUST NOT send a
        LOGIN command if the LOGINDISABLED capability is
        advertised.


In Security Considerations, add:

   A server implementation MUST implement a configuration in which, at
   the time of authentication, requires that:
      (1) The STARTTLS command command described in [IMAP-TLS] has been
      negotiated.
   OR
      (2) Some other mechanism that protects the session from password
      snooping has been provided.
   OR
      (3) The following measures are in place:
         (a) The LOGINDISABLED capability as described in [IMAP-TLS] is
         advertised, and [SASL] mechanisms (such as PLAIN) which use
         plaintext passwords are NOT advertised in the CAPABILITY list.
      AND
         (b) The LOGIN command returns an error even if the password is
         correct.
      AND
         (c) The AUTHENTICATE command returns an error with all [SASL]
         mechanisms which use plaintext passwords, even if the password
         is correct.

v2.23.0 | Report a Bug | By Email