Re: Further IESG feedback on draft-crispin-imapv-17.txt
Chris Newman <Chris.Newman@Sun.COM> Fri, 20 September 2002 00:11 UTC
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g8K0B2N03552 for ietf-imapext-bks; Thu, 19 Sep 2002 17:11:02 -0700 (PDT)
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8K0B1k03548 for <ietf-imapext@imc.org>; Thu, 19 Sep 2002 17:11:01 -0700 (PDT)
Received: from esunmail ([129.147.58.121]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id SAA09289 for <ietf-imapext@imc.org>; Thu, 19 Sep 2002 18:11:04 -0600 (MDT)
Received: from xpa-fe1 ([129.147.58.122]) by edgemail1.Central.Sun.COM (iPlanet Messaging Server 5.2 HotFix 0.8 (built Jul 12 2002)) with ESMTP id <0H2P00LAEN6G6V@edgemail1.Central.Sun.COM> for ietf-imapext@imc.org; Thu, 19 Sep 2002 18:11:04 -0600 (MDT)
Received: from nifty-jr.west.sun.com ([129.153.12.95]) by mail.sun.net (iPlanet Messaging Server 5.2 HotFix 0.2 (built Apr 26 2002)) with ESMTPSA id <0H2P00AO0N6C9K@mail.sun.net> for ietf-imapext@imc.org; Thu, 19 Sep 2002 18:11:04 -0600 (MDT)
Date: Thu, 19 Sep 2002 17:08:58 -0700
From: Chris Newman <Chris.Newman@Sun.COM>
Subject: Re: Further IESG feedback on draft-crispin-imapv-17.txt
In-reply-to: <01KMOKNGXORY00628S@mauve.mrochek.com>
To: ned.freed@mrochek.com, IMAP Mailing Liste <imap@u.washington.edu>, IMAP Extensions WG <ietf-imapext@imc.org>
Cc: paf@cisco.com, jis@mit.edu
Message-id: <2147483647.1032455338@nifty-jr.west.sun.com>
MIME-version: 1.0
X-Mailer: Mulberry/3.0.0b3 (Mac OS X)
Content-type: text/plain; charset="us-ascii"; format="flowed"
Content-transfer-encoding: 7bit
Content-disposition: inline
X-message-flag: Outlook: the best virus distribution system around
References: <01KMOKNGXORY00628S@mauve.mrochek.com>
Sender: owner-ietf-imapext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-imapext/mail-archive/>
List-ID: <ietf-imapext.imc.org>
List-Unsubscribe: <mailto:ietf-imapext-request@imc.org?body=unsubscribe>
I am absolutely opposed to the change the IESG has proposed because it will
result in inadequate real-world security for the IMAP protocol.
RFC 2060 currently requires no security for IMAP. So the unencrypted
plaintext password mechanism is the only one that all IMAP products
implement. Customers purchasing IMAP software require interoperability and
thus require support for unencrypted plaintext passwords. The only upside
is that SSL/TLS has deployed quite well.
The "SHOULD NOT" language greatly improves the situation because many
vendors will comply with the spec and advertise that fact, and thus it will
create market pressure for IMAP vendors to implement STARTTLS.
The "MUST NOT" language is not nearly as effective. Because vendors can
not comply with the new spec and meet customer requirements, they will
ignore the spec and simply claim compliance with RFC 2060. As a result,
there will be no new market pressure to improve the status quo.
Therefore, the current "SHOULD NOT" language will provide better real-world
security than the proposed "MUST NOT" language.
Mark's proposed compromise language is also acceptable and better than the
current language.
- Chris
begin quotation by ned.freed@mrochek.com on 2002/9/19 10:34 -0700:
>
> The IESG had this on the agenda today. The various document nits seem to
> have been satisfactorily addressed. The IESG is also happy with the
> general way the big item in the previous feedback -- mandatory to
> implement security -- has been dealt with.
>
> One concern remains, however. The following note appears in 6.2.1:
>
> Note: a server implementation SHOULD NOT permit any
> plaintext password mechanisms unless the STARTTLS
> command described in [IMAP-TLS] has been negotiated.
> Client and server implementations SHOULD implement
> additional SASL mechanisms which do not use plaintext
> passwords, such the GSSAPI mechanism described in [SASL]
> and/or the [DIGEST-MD5] mechanism.
>
> The IESG would like to push back even harder on the use of plain text
> passwords, and would like to see this changed to read:
>
> Note: a server implementation MUST NOT permit any
> plaintext password mechanisms unless the STARTTLS
> command described in [IMAP-TLS] has been negotiated or some
> other mechanism that protects the session from password
> snooping has been provided. Client and server implementations
> SHOULD implement additional SASL mechanisms which do not use
> plaintext passwords, such the GSSAPI mechanism described in
> [SASL] and/or the [DIGEST-MD5] mechanism.
>
> The reason the IESG would like to see this change made should be
> obvious, but in case it is not: The IESG wants to mandate the use of
> mechanisms that insure password snooping isn't possible but recognizes
> that there are many ways to do this besides TLS: SSH, VPNs, physical
> network security, etc.
>
> How do people feel about making this change?
>
> Ned
>
- re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Cyrus Daboo
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… Steve Hole
- Re: Further IESG feedback on draft-crispin-imapv-… Chris Newman
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- Further IESG feedback on draft-crispin-imapv-17.t… ned.freed