Re: [Jmap] Genart last call review of draft-ietf-jmap-smime-07

Peter Yee <> Wed, 08 September 2021 04:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0E0553A1609 for <>; Tue, 7 Sep 2021 21:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 87lMYT_aJTNU for <>; Tue, 7 Sep 2021 21:19:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A1893A1605 for <>; Tue, 7 Sep 2021 21:19:37 -0700 (PDT)
Received: from spectre ([]) by :SMTPAUTH: with ESMTPSA id Np3gmyLzGzpsBNp3gm8QJy; Tue, 07 Sep 2021 21:19:36 -0700
X-CMAE-Analysis: v=2.4 cv=ZPYSJV3b c=1 sm=1 tr=0 ts=613839d8 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:117 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:17 a=DAwyPP_o2Byb1YXLmDAA:9 a=y5BvQB8iAAAA:8 a=soKBErP5AAAA:8 a=48vgC7mUAAAA:8 a=I5x1dzxZdRBEZrdVDdMA:9 a=CjuIK1q_8ugA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=XJYP7Q1AlP6hLWnz4eQA:9 a=gNsl12zxfbZoM5ie:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=0MZqME3klBJT9LKN1Q1A:22 a=HCcp_izDSj6DkKgPSDQm:22 a=w1C3t2QeGrPiZgrLijVG:22
From: "Peter Yee" <>
To: "'Bron Gondwana'" <>, <>
Cc: <>, <>, <>
References: <> <>
In-Reply-To: <>
Date: Tue, 7 Sep 2021 21:19:39 -0700
Message-ID: <005e01d7a468$bded5280$39c7f780$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_005F_01D7A42E.118E7A80"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEQWYMLf0bjUIJ3HTZqSXgZ2tNjWgJbuGForRU//ZA=
Content-Language: en-us
X-CMAE-Envelope: MS4xfEHuCZ0Is2KW8xODywYZoZBgIJR7FyQSnmdndfATyUedosvDh2d0Sf9Iuc6yZ078C90lf9jXY5PwN45rCEg+v3u4ctRZZCaBdt/vL7kqpIyyJeooBja/ V8ZMsZHPxxqEBN7l494+dvoJlKre05fySakOEBGS23RK6X0CuE+xAuUsS/3XOwU1TMgn760mQvc0sevJ2DECDkp1ML1rkf7n+ly3+h/z2REkQSk7HTXC5hjy QiUp3Ik7I37yvH+vCynXeMisa3pXpQTnDbiJ8zXo3ixoGIt0Bl4tD6/PCeLYUXr5wAsXoivSCr2jKLLRUgqtLw==
Archived-At: <>
Subject: Re: [Jmap] Genart last call review of draft-ietf-jmap-smime-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Message Access Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Sep 2021 04:19:42 -0000

Thanks for that Bron. I suspected there was a discussion about this topic in
the WG, but that it simply wasn't reflected in the I-D. For those of us who
haven't kept up, adding a little bit of that discussion into the
introductory material would help a lot. 


                                Kind regards,



From: Bron Gondwana <> 
Sent: Tuesday, September 07, 2021 5:10 AM
To: Peter Yee <>om>;
Subject: Re: Genart last call review of draft-ietf-jmap-smime-07


On Tue, Sep 7, 2021, at 17:00, Peter Yee via Datatracker wrote:

Summary: This document provides a JMAP extension that allows the JMAP server

provide its thoughts on the verification of a messages S/MIME signature.

the details of the extension seem fine, I'm not convinced that the rationale

for it and the consequences of trusting the server to perform the

are well described. [Ready with issues]


Thanks for the detailed review Peter!  I'll leave the specific nits to
Alexey as author.  Good point with the "rationale for trusting the server".
We did discuss this during the early meetings when this draft came up, and
considered that this would most likely be used within an organisation which
controls both the client and the server.  JMAP is particularly well suited
to very simple and light-weight clients.


It's envisioned that JMAP clients may even be a simple widget which displays
some details like mailbox counters or previews of the most recent few
messages.  By having the server side do S/MIME validation, a client can
simply check a property to display an icon next to a preview without being a
full S/MIME client.  Obviously this isn't something you would do where you
didn't trust the server absolutely!


It seems reasonable to me to add some text that summarizes this
understanding in the introduction, along with the existing "requires the
client to trust server verification code" in the security considerations.








  Bron Gondwana, CEO, Fastmail Pty Ltd <>