Re: [Jmap] JMAP security
Yoav Nir <ynir.ietf@gmail.com> Wed, 08 February 2017 19:01 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97538129D89 for <jmap@ietfa.amsl.com>; Wed, 8 Feb 2017 11:01:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7t3VxdMsRQOT for <jmap@ietfa.amsl.com>; Wed, 8 Feb 2017 11:01:58 -0800 (PST)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C388129DAE for <jmap@ietf.org>; Wed, 8 Feb 2017 11:01:15 -0800 (PST)
Received: by mail-wr0-x230.google.com with SMTP id 89so66195445wrr.2 for <jmap@ietf.org>; Wed, 08 Feb 2017 11:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ecwogFJ19KNXtOIy3bbv5LiOmhPotfoGvRedOv47hA0=; b=rnogPB6QRdNqBM7bjJdn/LNh6WWIBWx95hEMfLyGr1dUtxauxvlgi+OyAprJ2qjXM6 CkkFAeltOylkhIfnHAPriqhlIMOD1QQZCVgRInhBGbawUH4oESk/svTIDD13Dy8lPPnS qbTJlstqrjGLoqT24POlnbxMUUM89oHfEmMwfWHO4DeZUaxyqv2bi0zaTNXXDo4mzIw0 rHmYzU/tgHubRjNe2lcioKOG7c5ky9KXbOQNbjGEMez3yhHw4oo2TtacgGewEGJHL+tq xWThB7XYH8jnPX0WcCSP1sOVUA6fEgm3qye089k6HFW8qU1WTSg3pBatPWtv3MspPD5m uj4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ecwogFJ19KNXtOIy3bbv5LiOmhPotfoGvRedOv47hA0=; b=HmpVNPbcNEdQRNwzbrv9f7ojrEXfGfm70b6nyR5ghJ6Eq9fMVHMn98L2cKwO98vHKa Pn8M4PuxLliQWsHrGhhjJTksYrjltd2BZOyIu2/eSDzdF6iRKBn5H/lOg8bDrxhJCNJS uXbuw3B2JFoEhPTteDco1ZFeqvnC9g5ZDhBZCBizq54QwXy2ndw7DL26BwdjdEFp0B23 I5kJOFowqqRMScUSDyudqya7TDX7UZzfH2jsptwA5epHPCwyAbG6X7gw0jFJG6EZr/lo rJGcXbAjjPwD1uECiqIMKYiv5bmylECNqf5whdMtV3WeP45c5DapiGdXSsJDf3T8ogQ0 r/Zw==
X-Gm-Message-State: AIkVDXI0NxmUf5bY3wcGtpcmrAXstV3W6tRX11ZK/tOLWZdyyAdmGgeRNeCqE65O2/Gm0Q==
X-Received: by 10.223.136.197 with SMTP id g5mr20106246wrg.56.1486580473526; Wed, 08 Feb 2017 11:01:13 -0800 (PST)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id e16sm14491658wra.36.2017.02.08.11.01.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 11:01:12 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <4ABF6702-BFC7-4530-95FD-C61C06F2E6AB@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8CB0707C-D6D1-43D4-B391-4258F8BACBA1"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 08 Feb 2017 21:01:10 +0200
In-Reply-To: <yw8pj50om7igw8xwxd2fon4q.1486574928465@email.android.com>
To: podkorytov <podkorytov@mail.ru>
References: <yw8pj50om7igw8xwxd2fon4q.1486574928465@email.android.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/AUQ3bjYSdYwDyZN0HMr1_SFKmtg>
Cc: jmap@ietf.org
Subject: Re: [Jmap] JMAP security
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 19:01:59 -0000
On 8 Feb 2017, at 19:28, podkorytov <podkorytov@mail.ru> wrote: > Hello, what about JMAP client security ? > If it will works inside web browser it can inherit it vulneriabilities and join own, > JMAP is (will be?) a protocol. It can be implemented in Javascript in a browser; it can be implemented as part of a desktop or mobile MUA; it can be implemented as a library for use by servers that send email. > Any browser plugins such as Adobe's or something else may be potencial hole and targets for attacks. > Since we do expect browser use, that is definitely something to consider. Preventing plug-ins and scripts running in other tabs from sending requests on behalf of the user should certainly be a goal for the protocol. There are some ways of doing that: authenticating each HTTP request with something better than session cookies, making the resource names unpredictable, etc. That is definitely part of the design. > Probably it question out of frames of protocol draft , but it practical thing ang may to influence on JMAP success or fail. It will works inside browser with many others web applications and plug-ins > Security considerations are part of every IETF document and discussion of security vulnerabilities within the operating environment are very much in scope. Yoav
- [Jmap] JMAP security podkorytov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Дмитрий Подкорытов
- Re: [Jmap] JMAP security Alexey Melnikov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Arnt Gulbrandsen