[Jmap] Benjamin Kaduk's No Objection on draft-ietf-jmap-smime-09: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Tue, 19 October 2021 22:34 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: jmap@ietf.org
Delivered-To: jmap@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D0FE3A0A6D; Tue, 19 Oct 2021 15:34:54 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-jmap-smime@ietf.org, jmap-chairs@ietf.org, jmap@ietf.org, brong@fastmailteam.com, brong@fastmailteam.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.39.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <163468289442.773.9422623149409906055@ietfa.amsl.com>
Date: Tue, 19 Oct 2021 15:34:54 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/TYd0SAzSuBcHvFMTGP8cZP25XJ8>
Subject: [Jmap] Benjamin Kaduk's No Objection on draft-ietf-jmap-smime-09: (with COMMENT)
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.29
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2021 22:34:55 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-jmap-smime-09: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-jmap-smime/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Are we asserting that the "smime" prefix for property names (and "hasSmime", etc.) relates only to S/MIME signing? How might S/MIME encryption be handled if support is added in the future? I see that the opsdir reviewer asked about whether this document should have an "Updates:" relationship with RFC 8621. I'm not sure I see a need for it, myself, but would be interested in hearing the stance of the authors/WG. Section 4.1 signed: S/MIME signed message, but the signature was not yet verified. Some servers might not attempt to verify a signature until a particular message is requested by the client. JMAP servers compliant with this document SHOULD return "signed/ verified" or "signed/failed" instead of this signature status. I'd suggest adding something like "SHOULD attempt verification and return", just to reiterate that servers don't get to arbitrarily claim verification/failure without doing the verification. smimeErrors: "String[]|null". null signifies that the message doesn't contain any signature or that there were no errors when verifying the S/MIME signature. (I.e., this property is non null only when the corresponding "smimeStatus" response property value is "signed/ failed".) [...] Would some hypothetical future smimeStatus type be compatible with a non-null smimeErrors? This phrasing seems to preclude such a possibility. This might result in the following response: [["Email/get", { "accountId": "abc", "state": "41234123231", I note that this "state" value is used in RFC 8621 when retriving a similar example message. As far as I recall this state value represents only the state of Email objects on the server overall (with some caveat about visibility to the user), and so it is not inherently inconsistent to use the same value across examples ... but it might be worth picking a new value anyway. The reuse of the message "id" for a message with a different "receivedAt" date, subject, etc., though, seems less defensible than reusing "state". Example 2: Retrieval of minimal information about a message, [...] ["Email/get", { "ids": [ "af123u123" ], "properties": [ "mailboxIds", "from", "subject", "date", "smimeStatus", "smimeErrors", "smimeVerifiedAt" ] }, "#1"] Is reusing the method call id allowed? Section 4.2 * *hasVerifiedSmime*: "Boolean". If "hasVerifiedSmime" has the value true, only messages with "smimeStatus" equal to "signed/ verified" match the condition. If "hasVerifiedSmime" has the value false, only messages with "smimeStatus" not equal to "signed/verified" (including the value null) match the condition. Might some future status value (say, "signed+encrypted/verified") also need to match as "verified S/MIME"? This phrasing seems to preclude such a possibility. Section 6 The immutability of smimeStatusAtDelivery might have unfortunate interactions with trust anchor changes (additions, mostly) on the server, since the state could be locked into invalid even if the current TA set would have verified it at the time of delivery. Use of server-side S/MIME signature verification JMAP extension requires the client to trust the server signature verification code and configuration to perform S/MIME signature verification. [...] I think the client also trusts the channel between client and server, as well as the server itself. This is perhaps implicit in trusting the server, especially when combined with the JMAP requirement for secure transport, but might still be worth reiterating, as a divergence from the purely local S/MIME verification mode that is the alternative to this document's mechanism. Furthermore, I think it is worth clearly stating that trusting the server in this way also expands the attack surface -- when this mechanism is used, the server can be attacked (undetectably by the client) and return bogus S/MIME verification state, whereas local verification would have returned correct results. So the client is not just trusting the code and configuration of the server, but also its operational practices. Roman's text looks like a reasonable way of covering the last two points. NITS Section 1 This extension is suitable for cases where reduction in network bandwidth and client side code complexity outweigh security concerns about trusting JMAP server to perform S/MIME signature verifications. [...] "the JMAP server". Section 6 Use of server-side S/MIME signature verification JMAP extension requires the client to trust the server signature verification code and configuration to perform S/MIME signature verification. [...] "the server-side [...] extension".
- [Jmap] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [Jmap] Benjamin Kaduk's No Objection on draft… Alexey Melnikov