Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-mail-15: (with DISCUSS and COMMENT)
"Chris Newman" <chris.newman@oracle.com> Wed, 06 March 2019 22:46 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E43131064; Wed, 6 Mar 2019 14:46:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Pvzi3cRmwRt; Wed, 6 Mar 2019 14:46:20 -0800 (PST)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0BAB130E82; Wed, 6 Mar 2019 14:46:20 -0800 (PST)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x26MiGfB061912; Wed, 6 Mar 2019 22:46:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=iGqGYiDnq//Wy3DhUg95pivk7zR/3SBthvkdbe5zVBY=; b=Lu9ASAHH5g/O4UaW6keac1HzQ2Fbaok8jxojyRJZdMvgjo2AULysjQQJOhorSto1dZ9d 8hnPKFeg36mcD+vEdBQLNoPdk1TfxRT7E+S5Uqa6ijyjn63iBJst3i6wdRtvJ6An4yhk xpnnwDTCJUlO4wQUe1uqCJDt1wfLn0/Wudrq/eoOlu1VzPnQN/QAvkeFEudb+6AXyMdG YQnAfsv79IX8wO/hW8ecHSYkB7p7gxw3R5WgkJCNffVFKmmD/elb5OLP9LgVel9ABLJd nz8CxnEbWARPwzBE+DipLlRQMTtyaqBTuqbqsxVUAqIEBnGN4rLFMD5npLmTtXk5AmAw 4A==
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2130.oracle.com with ESMTP id 2qyfbef1ga-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Mar 2019 22:46:15 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x26Mk94f032020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 6 Mar 2019 22:46:10 GMT
Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x26Mk7I2022198; Wed, 6 Mar 2019 22:46:07 GMT
Received: from [10.159.134.251] (/10.159.134.251) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 06 Mar 2019 14:46:07 -0800
From: Chris Newman <chris.newman@oracle.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, brong@fastmailteam.com, draft-ietf-jmap-mail@ietf.org, jmap-chairs@ietf.org, jmap@ietf.org
Date: Wed, 06 Mar 2019 14:46:04 -0800
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <E0ACD102-4856-44E1-92D3-CD3801836148@oracle.com>
In-Reply-To: <155175363767.5305.14440255640742603646.idtracker@ietfa.amsl.com>
References: <155175363767.5305.14440255640742603646.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9187 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903060154
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/78afLYg0tQSIQ3ZkcBvqs7Co5gI>
Subject: Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-mail-15: (with DISCUSS and COMMENT)
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 22:46:24 -0000
On 4 Mar 2019, at 18:40, Benjamin Kaduk wrote: > Section 4.1.2.1 > > A server SHOULD replace any > octet > or octet run with the high bit set that violates UTF-8 syntax with > the unicode replacement character (U+FFFD). [...] > > This seems problematic, given that this is supposed to be the "Raw" > format. I guess the justification for the replacement is that we use > JSON and JSON requires UTF-8, but if that's the case then shouldn't > this > be a MUST and not a SHOULD? In particular, a client can't rely on the > server providing the SHOULD, so it doesn't seem to provide much value. There's a MUST in the core document section 1.5 that requires the server to always send valid JSON/UTF-8. Use of the Unicode replacement character (URC) is one way to meet that requirement, but there are other ways to turn invalid data into JSON-compliant data and there may be good reasons to use mechanisms other than URC so I think SHOULD is appropriate here. - Chris > Section 4.7 > > The server MAY forbid two email objects with the same exact > [RFC5322] > content, or even just with the same [RFC5322] Message-ID, to > coexist > within an account; if the target account already has the email the > copy will be rejected with a standard "alreadyExists" error. > > This has some security considerations that should probably be > mentioned > in Section 9.4: when a user only has read privileges to a > subset of the folders in an account, this behavior can be abused as an > oracle to determine whether a given message exists in the inaccessible > portions of that account. (Similarly for /import.) > > Section 4.9 > > The following metadata properties on the Email objects will be > "null" > if requested: > [...] > o mailboxIds > > This seems in conflict with the Section 4.1.1 text that every Email > "MUST > belong to one or more mailboxes at all times (until it is deleted)." > Presumably we want a broader disclaimer in 4.1.1 rather than any > changes > here... > > There may also be a related condition wherein an EmailSubmission > object > refers to an Email after the Email is deleted -- I didn't (yet) see > text > to indicate whether the emailId in the EmailSubmission is expected to > still be resolvable, in which case there would potentially not be an > associated Mailbox. > > Section 9.3 > > It's 2019. Why are we still recommending SASL PLAIN? > We have better options even if we are resigned to passwords, like > SCRAM. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 1.3.1 > > o *maxMailboxesPerEmail*: "UnsignedInt|null" The maximum number of > mailboxes that can be can assigned to a single email. [...] > > nit: My understanding (shaped solely by experience and inference) is > that > "email" is generally used to refer to a message, whereas "email > account" > or "email address" would be used to refer to or associate with a thing > that can be a container for folders. > > o *maxSizeMailboxName*: "UnsignedInt" The maximum length, in > (UTF-8) > octets, allowed for the name of a mailbox. This MUST be at > least > 100, although it is recommended servers allow more. > > The Unicode normalization form used by client/server could cause > disagreement about whether a given name is permitted, though for the > type of use this will get it's not clear that we need to be more > rigorous. > > Section 1.3.2 > > o *submissionExtensions*: "String[String[]]" A JMAP implementation > that talks to a Submission [RFC6409] server SHOULD have a > configuration setting that allows an administrator to expose a > new > submission EHLO capability in this field. This allows a JMAP > > I think I'm confused by the workflow here. Suppose we have a JMAP > client A talking to a JMAP server B, and B is also an SMTP client that > talks to MTA C. This capability is supposed to be about letting B > expose a new EHLO capability to A, but only when C supports it? > We probably need some more text here to explain the scenario, even if > my > guess is correct. > > server to gain access to a new submission extension without code > changes. By default, the JMAP server should hide EHLO > capabilities that are to do with the transport mechanism and > thus > are only relevant to the JMAP server (for example PIPELINING, > CHUNKING, or STARTTLS). Each key in the object is the _ehlo- > name_, and the value is a list of _ehlo-args_. Examples of > Submission extensions to include: > > The description here could probably be reworded/reorderd for clarity, > since we don't start talking about what the actual map keys/values are > until the penultimate sentence, at present. > > Section 1.5 > > In addition, servers MUST support pushing state changes for a type > called "EmailDelivery". [...] > > Er, is this only servers that are implementing > urn:ietf:params:jmap:mail? Or is the bit about "Servers MUST support > all properties specified for the new data types defined in this > document" supposed to imply that I have to implement all three as a > unit, even if not all of them are going to be available for every > account/credentials? > > Section 2 > > o *id*: "Id" (immutable; server-set) The id of the mailbox. > > Since jmap-core now has all Ids as immutable and server-set, is this > sort of notation considered redundant in jmap-mail? (Throughout; this > is just the first instance.) > > o *role*: "String|null" (default: null) Identifies mailboxes that > [...] > same role. Servers providing IMAP access to the same data are > encouraged to enforce these extra restrictions in IMAP as well. > Otherwise, it is implementation dependent how to modify the IMAP > attributes to ensure compliance when exposing the data over > JMAP. > > If we had a "see also" document relation, this might justify one from > IMAP > to here. It probably doesn't qualify for Updates: though. > Nonetheless, I'd consider having a top-level "Updates Affecting IMAP" > section like RFC 8446 did for TLS 1.2, to collect all the bits that > someone deploying IMAP and JMAP together might need to think about for > their IMAP implementation. > > o *sortOrder*: "UnsignedInt" (default: 0) Defines the sort order > of > [...] > equal order SHOULD be sorted in alphabetical order by name. The > sorting SHOULD take into account locale-specific character order > convention. > > I think this last SHOULD is probably not a 2119 SHOULD, and therefore > should just be "should". > > o *unreadThreads*: "UnsignedInt" (server-set) An indication of the > number of "unread" threads in the mailbox. For compatibility > with > existing implementations, the way "unread threads" is determined > is not mandated in this document. The simplest solution to > > Do we really have competing *J*MAP implementations that disagree on > this? Or is the idea to preserve compatibility with IMAP > clients or other current implementations that attempt to determine > threading relationships (in which case, that should probably be > mentioned)? > > o *myRights*: "MailboxRights" (server-set) The set of rights > (ACLs) > the user has in relation to this mailbox. These are backwards > compatible with IMAP ACLs, as defined in [RFC4314]. A > _MailboxRights_ object has the following properties: > > I read this as saying that all of the properties must be present in > the > object, such that omitting a property is not a permitted synonym for > it > having a value of false. Is this reading correct? > If so, what should a client do if the server misbehaves? > > * *mayReadItems*: "Boolean" If true, the user may use this > [...] > but not the parent mailbox, this may be "false". Corresponds > to IMAP ACLs "lr". > > "Corresponds to" is perhaps imprecise, if one is thinking about the > IMAP > ACL as being the authoritative source of information (which not all > readers will!). The point being that just 'l' or just 'r' would not > be > enough to get this, and since JMAP is specifying a slightly more > abstract mapping than standard IMAP rights, we should be precise about > the mapping, and arguably in both directions. (Not just here, but for > all the compound ACLs, of course. Also for IMAP ACL 'x', which has > two > corresponding JMAP permissions.) > > * *maySetSeen*: "Boolean" The user may add or remove the > "$seen" > keyword to/from an email. If an email belongs to multiple > mailboxes, the user may only modify "$seen" if *all* of the > mailboxes have this permission. Corresponds to IMAP ACL "s". > > nit: in the intro, we talk of "rights the user has in relation to this > mailbox", so it's a bit disjoint to talk of mailboxes having > permissons. > (Here and below.) > > o *isSubscribed*: "Boolean" Has the user indicated they wish to > see > [...] > choose to ignore this property, either entirely for ease of > implementation, or just for the primary account (which is > normally > > nit: We don't really provide a formal definition of "primary account" > either here or in jmap-core. > > Section 2.1 > > Standard "/get" method. The _ids_ argument may be "null" to fetch > > I thought I had said something on jmap-core but maybe I only thought > about it: my personal preference would be for section references into > jmap-core to provide a foundation for what the "standard method" is, > though I will not insist upon it. > > all at once. > > (Also, this behavior is part of the standard method now.) > > Section 2.2 > > I might say explicitly that "a non-null updatedProperties response > argument indicates that the mailbox contents are unchanged from the > old > state, with only the counts having changed", since these semantics are > potentially unexpected. > > Section 2.3 > > Standard "/query" method, but with the following additional > argument: > > (Generic comment, not scoped to just this section): are we going to > need > to draw a distinction between input and ouput arguments for any of the > additions we make to standard methods? > > o *role*: "String|null" The Mailbox _role_ property must match the > given value exactly. > > So the client is responsible for lower-casing values from the IMAP > Mailbox Name Attributes registry and the server must not do a > case-insensitive comparison? > > The following properties MUST be supported for sorting: > > Just to be pedantic, we're talking about the values of the "property" > property within the Comparator object, right? (This is one of those > annoying things at the intersection of technical specifications and > natural English language.) > > Section 4 > > Due to the number of properties involved, the set of _Email_ > properties is specified over the following three sub-sections. > > It's probably worth a note that the subsections are for purposes of > document organization and are not reflected in the wire protocol > structure -- the properties involved are all top-level peers, across > the > three subsections. (Assuming that's correct, of course.) > > Section 4.1 > > I assume it was a conscious WG decision to not present a full > consolidated schema for Email. But I want to check, since I think > (not > having one) that it would have helped my understanding, and I try to > be > open to discovering the errors of my ways... > > o _textBody_/_htmlBody_: These provide a list of parts that should > be rendered sequentially as the "body" of the message. This is > a > list rather than a single part as messages may have headers > and/or > footers appended/prepended as separate parts as they are > transmitted, and some clients send text and images intended to > be > displayed inline in the body (or even videos and sound clips) as > multiple parts rather than a single HTML part with referenced > images. > > Some guidance related to interpreting these lists and avoiding the > eFail > (efail.de) class of attacks is probably in order -- the HTML parts > should get some different containers around their processing. This > could potentially go here, or in Section 9.2. > > Because MIME allows for multiple representations of the same data > (using "multipart/alternative"), there is a textBody property > (which > prefers a plain text representation) and an htmlBody property > (which > prefers an HTML representation) to accommodate the two most common > client requirements. The same part may appear in both lists where > there is no alternative between the two. > > (soapbox) It's annoying when I get mime/multipart with HTML in the > text/plain section. Is this clause going to allow for that same sort > of > misclassification? > > Due to the number of properties involved, the set of _Email_ > properties is specified over the following three sub-sections. > > nit: are we at four sub-sections now? > > Section 4.1.1 > > The IMAP "\Recent" keyword is not exposed via JMAP. The IMAP > "\Deleted" keyword is also not present: IMAP uses a > delete+expunge > model, which JMAP does not. Any message with the "\Deleted" > keyword MUST NOT be visible via JMAP (including as part of any > mailbox counts). Users may add arbitrary keywords to an email. > > IIRC, Trash gets special handling with respect to deletion in JMAP > commands; does it also get special treatment w.r.t \Deleted > translation > from IMAP to JMAP? > > Section 4.1.2.2 > > This escape valve for "Any header not defined in [RFC5322] or > [RFC2369]" > (here, et seq) seems like it might benefit from some general guidance > about implementations applying common sense, i.e., allowing servers > the > ability to deny requests for a given form for such new headers in > order > to prevent nonsense behavior. > > Section 4.1.4 > > o *partId*: "String|null" Identifies this part uniquely within the > Email. This is scoped to the _emailId_ and has no meaning > outside > of the JMAP Email object representation. This is "null" if, and > only if, the part is of type "multipart/*". > > The prose isn't the super-best indicator that the asterisk is > intended to have wildcarding behavior. > > Section 4.4.1 > > Just to double-check: the different fencepost behavior for > minSize/maxSize is intentional? > > o *text*: "String" Looks for the text in emails. The server > SHOULD > look up text in the _from_, _to_, _cc_, _bcc_, _subject_ header > fields of the message, and inside any "text/*" or other body > parts > that may be converted to text by the server. The server MAY > extend the search to any additional textual property. > > side note: as a mail user, I like to be able to use text search to > conclusively determine that a given message/topic is *not* in a given > mailbox. This weak "SHOULD" language does not provide me that > guarantee, though I can see how it makes sense in the protocol design > to > leave the flexibility for implementors, here. > > o When searching inside a "text/html" body part, any text > considered > markup rather than content SHOULD be ignored, including HTML > tags > and most attributes, anything inside the "<head>" tag, CSS and > JavaScript. Attribute content intended for presentation to the > user such as "alt" and "title" SHOULD be considered in the > search. > > This would seem to leave no reliable way for a security researcher to > (e.g.) search for snippets of attack javascript in received mails > without downloading all of them. > > o Text SHOULD be matched in a case-insensitive manner. > > Is the server going to have a sense of the user's locale as needed for > fully generic case-insensitive comparison? > > o Tokens MAY be matched on a whole-word basis using stemming (so > for > example a text search for "bus" would match "buses" but not > "business"). > > I think this is supposed to not apply to the "phrase search" two > bullets > above, but greater clarity would be appreciated. > > o *hasKeyword* - This value MUST be considered "true" if the email > has the keyword given as an additional _keyword_ property on the > _Comparator_ object, or "false" otherwise. > > I strongly suggest an explicit listing of the "additional properties > as > reuqired for specific sort operations" of the _Comparator_ type when > used for Emails. > > Section 4.6 > > When emptying the trash, clients SHOULD NOT destroy emails which > are > also in a mailbox other than trash. For those emails, they SHOULD > just remove the Trash mailbox from the email. > > This last SHOULD seems to be duplicated in Section 2. > > For successfully created Email objects, the _created_ response > contains the _id_, _blobId_, _threadId_ and _size_ properties of > the > object. > > For partial drafts, the behavior where a threadId always gets assigned > on first touch is perhaps interesting, as subsequent edits might cause > the effective threading to change, which would necessitate a new Id as > well (IIUC). I'm not sure if there's anything weird there that a > client > would need to be prepared for, though. (Maybe not, given that it > always > is going to get back an _id_ from /set, and should be using that.) > > Section 4.8 > > If the blob referenced is not a valid [RFC5322] message, the server > MAY modify the message to fix errors (such as removing NUL octets > or > fixing invalid headers). If it does this, the _blobId_ on the > response MUST represent the new representation and therefore be > different to the _blobId_ on the EmailImport object. > Alternatively, > the server MAY reject the import with an "invalidEmail" SetError. > > In general, having more options like this can increase the fragility > of > the ecosystem, as a client might be written to assume one behvaior and > then be not as portable to a different server. I'm not sure that > there's a clear way to mandate a single type of behavior here, but > want > to be sure that the topic was discussed. > > Section 6 > > o *email*: "String" (immutable) The "From" email address the > client > MUST use when creating a new message from this identity. The > value MAY alternatively be of the form "*@example.com", in which > case the client may use any valid email address ending in > "@example.com". > > I mostly assume this is supposed to be for a generic domain and not > special-casing example.com literally. Some extra text/formatting > would > help with that. > > Section 7.3 > > The associated identityId is not a queriable property? > > Section 7.5 > > o *onSuccessUpdateEmail*: "Id[Email]|null" A map of > _EmailSubmission > id_ to an object containing properties to update on the Email > object referenced by the EmailSubmission if the create/update/ > destroy succeeds. (For references to EmailSubmission creations, > this is equivalent to a back-reference so the id will be the > creation id prefixed with a "#".) > > I'm confused by the "Id[Email]" part -- we describe it as a map to "an > object containing properties to update", but that's not exactly what > an > Email object is. Is this more of a PatchObject than an Email per se? > nit: I'd also tweak the wording of the parenthetical a bit (here and > below), to something like "when applying to EmailSubmissions created > in > the same "/set" invocation, ..." > > Section 8 > > By a literal reading, fromDate and toDate are in conflict with each > other (when non-null). That is, the fromDate text does not admit the > possibility of an end to the vacation response period, and vice versa. > > Section 9 > > I'd consider adding another sentence like "Additional considerations > specific to the data types and functionality introduced by this > document > are described in the following subsections." > > Section 9.3 > > I know we don't want this to devolve into a generic discussion of the > flaws of email, but perhaps the envelope-from/body-from distinction is > worth repeating, with a note that JMAP has provisions for ACLs on > submission that check both. > > > _______________________________________________ > Jmap mailing list > Jmap@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_jmap&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=Kd4khyWKu1OdyQCDkytHP56BfjUiYrtqcTi99Nnq9Og&s=0q4Ry-Xka_xREe6pZmV1qritx4bxQmiUMONF99Vlejo&e=
- [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jma… Benjamin Kaduk
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Chris Newman
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Chris Newman
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Chris Newman
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Neil Jenkins
- Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk