[Jmap] Secdir last call review of draft-ietf-jmap-mdn-16
Daniel Franke via Datatracker <email@example.com> Wed, 06 January 2021 02:41 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E14F3A0418; Tue, 5 Jan 2021 18:41:57 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
From: Daniel Franke via Datatracker <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org, email@example.com
Reply-To: Daniel Franke <firstname.lastname@example.org>
Date: Tue, 05 Jan 2021 18:41:57 -0800
Subject: [Jmap] Secdir last call review of draft-ietf-jmap-mdn-16
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 02:41:58 -0000
Reviewer: Daniel Franke Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document's Security Considerations section is appropriately brief because it doesn't introduce much in the way of new ones: the security model for JMAP MDN isn't essentially different from the security model for the analogous IMAP functionality. But had I reviewed RFC 8098, I would have urged some changes to the Privacy Considerations section of that document. It's not that anything is wrong or overlooked, but its emphasis is odd. It focuses mostly on leakage of impersonal details like OS version and network topology, with nothing but a parenthetical mention given to the significant personal intrusion of monitoring message read times. Every abusive boss knows this trick: send your subordinates an email at 5:00 AM on Saturday and watch when the delivery receipts come in. I wish that something in the corpus of MDN-related RFCs would do a better job of acknowledging this, even if this one in particular is not the most appropriate place for it.
- [Jmap] Secdir last call review of draft-ietf-jmap… Daniel Franke via Datatracker
- Re: [Jmap] Secdir last call review of draft-ietf-… Barry Leiba