IETF Logo Mail Archive

Re: [Jmap] Secdir last call review of draft-ietf-jmap-contacts-06

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 04 April 2024 19:21 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE90DC14F6FE for <jmap@ietfa.amsl.com>; Thu, 4 Apr 2024 12:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xqi7qpsJpbxA for <jmap@ietfa.amsl.com>; Thu, 4 Apr 2024 12:21:33 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B47C14F6FA for <jmap@ietf.org>; Thu, 4 Apr 2024 12:21:33 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a469dffbdfeso52709366b.0 for <jmap@ietf.org>; Thu, 04 Apr 2024 12:21:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712258490; x=1712863290; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=CdSguB+v+kByBz10Zch3KAgveZEFAGpfrhQTyd0mS68=; b=Ouh9lANY+8Hl0WztzbDcCJWNq29QG5bvQP7noP0QuBwpPHQkdahxpAV3w6Kn7wvtMz DHtbCElzJTuvOJbc9QGPeFW55IXkLdEMJpSCCpQFOJf10CYw9fbLlV4fgk1Sq53n/G5h 9Znk+MbvDK+Jf5wlOAHNlS/R2bhOLVVJr5rD9/f0zihmlUXpTckeCqxeubPyF/QwTsRZ BK5VAI+Rr6cGhxSmfkrcaiD1PAfNAcD3td/L6enK/E6pjNplN/KAwbLOmy/EMKus7jGn BtnGd1CMim57DLmcO2s3dULqqdxwvBcbdoGimsxYwfg7J7zgG9HNn4lNVy/+jKAPz+TB u9Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712258490; x=1712863290; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CdSguB+v+kByBz10Zch3KAgveZEFAGpfrhQTyd0mS68=; b=Jn+1QaW2LS9ap8IgXiIYoh0/ccuG8Xh5T1+V8CIih91VQEiTDJ+6fh7L5rKOsEKKtt szjdgOM6rqngyxK+EB0T1wc/Mcfi/6ipRKvZvwZoPkwUcWgJ7zi+eKQlvU3g6pyynUul MkwIfXVtQrBCNOhxt+tQ4iCO2nRNRN1OABmxLJPWD7PdEKSTQRNkPX2W5oVOtJkqA+6A Tq5IOQtkIfFHamn1X8IxkcYX0J/ZQ2HEMoNU8uf0Vdg6YE8AWZGGNT1oLHraJsHvwK98 c5/unR0Ls3cFuN7z0M98jcwyP93U8O61OvhMRFEHLy1V+92gNa+OisYgxpKjKUZNDFCt wFsg==
X-Gm-Message-State: AOJu0YyaFbwR3fSP2JgNhIL3cCnBHL6KvL6tTXV6cr20gm6NokIWVtu/ 0og2s6BHp1wHdNnRn/oNusOj2lf8s+6/l2oZh0qWWYXRfEdqnojDuAo92VAE+8MH1HXk9sORVzz Pt6BsXEpYn+ykLm0cSa2ZiBDvXV2FxS7YkQw=
X-Google-Smtp-Source: AGHT+IFnhP++zov67rByJI9+Fm6LLApnXr4p4WpMjI+fn13zcnDILUDCXb7J3AP6cHiNXcB4y+mTFnQHVk/vgmTUk2g=
X-Received: by 2002:a17:907:7202:b0:a51:9fbd:c93b with SMTP id dr2-20020a170907720200b00a519fbdc93bmr259103ejc.7.1712258490084; Thu, 04 Apr 2024 12:21:30 -0700 (PDT)
MIME-Version: 1.0
References: <171221155095.47781.827957534903822489@ietfa.amsl.com>
In-Reply-To: <171221155095.47781.827957534903822489@ietfa.amsl.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 04 Apr 2024 12:21:18 -0700
Message-ID: <CAL0qLwapTZucbgr7NzeF_Uwtmo1p=NR=tJz_HAUOmsF7Wa0Mjw@mail.gmail.com>
To: jmap@ietf.org
Content-Type: multipart/alternative; boundary="00000000000010b5af06154a3f38"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/TW2GQWouplKkdi7kbDeG467j5Q0>
Subject: Re: [Jmap] Secdir last call review of draft-ietf-jmap-contacts-06
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 19:21:37 -0000

On Wed, Apr 3, 2024 at 11:19 PM Shivan Sahib via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Shivan Sahib
> Review result: Has Issues
>
> Section 1.4
> This section says "This document defines two additional capability URIs."
> but
> AFAICT it's only one i.e. urn:ietf:params:jmap:contacts
>
> Section 2
> Why does description property not have any restrictions unlike the name
> property?
>
> In general, it's a bit confusing which properties are mandatory and which
> are
> optional: sometimes it's pretty obvious (id and name), and sometimes it's
> not
> (sortOrder). I would highly recommend explicitly labelling all properties
> as
> either mandatory (and then defining what the possible values are), or
> optional
> (similar, but also with a sensible default).
>
> Looks like Principal is missing a reference to
> https://datatracker.ietf.org/doc/html/draft-ietf-jmap-sharing-06.
>
> mayDelete property in AddressBookRights is confusing, since I first
> thought it
> means the ability to delete ContactCards since that's what mayRead and
> mayWrite
> mention.
>
> Section 5
> The Security Considerations section needs to address the fact that a user
> query
> which uses filtering/sorting is basically untrusted input and recommend
> how to
> sanitize and treat the input. It should at the very least point to RFC 8620
> security guidance around parsing JSON input.
>

Any revision needed, or some other response to this?

-MSK

v2.23.0 | Report a Bug | By Email