IETF Logo Mail Archive

Re: [Jmap] AD review of draft-ietf-jmap-mail-12

"Neil Jenkins" <neilj@fastmailteam.com> Thu, 10 January 2019 03:42 UTC

Return-Path: <neilj@fastmailteam.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67C7131113 for <jmap@ietfa.amsl.com>; Wed, 9 Jan 2019 19:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.982
X-Spam-Level:
X-Spam-Status: No, score=-1.982 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HEADER_CTYPE_ONLY=0.717, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=m9IeP+ai; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=kFHWRCp9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTGxsyS6UYzP for <jmap@ietfa.amsl.com>; Wed, 9 Jan 2019 19:42:52 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3AAF124408 for <jmap@ietf.org>; Wed, 9 Jan 2019 19:42:52 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id C7FDA2311B; Wed, 9 Jan 2019 22:42:50 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute6.internal (MEProxy); Wed, 09 Jan 2019 22:42:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=message-id:in-reply-to:references:date:from :to:cc:subject:content-type; s=fm1; bh=PQ6+QPy8YH/D7voPfpJYy1PzN 7NQlHZ7C6RWyjQ6ZVo=; b=m9IeP+aidLR5rbZfVN5hc7P9CqGvjNncYcv7+uyNo qCvnM+VDauEOCrLZv4IpM8/Rf7q9fL2q1DLDtZWWi7iNOkpZldVwC3mjWc3h0mS2 VVVgT3XKbnUvH8aKQ0J187WAWPrbHMwU6G+9QMAk+Hqpc3TjgrjCBW2vL4qh+eWm I12Nna8/j+QGTU8pKFzTUWReYReB3meF7/GzWMqRMJSOKBunFm9K0rifzTyQOV/Z EbedsJyQK4qfee7GTK+/InP8DOm93sRx5bpVwosuoESyrosMV+CaXz9RnFa6lPAf V5TzVjtJ7k3UA3TZC6rE0eMmADLm4hDCncehaMaQKkcag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:references:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=PQ6+QPy8YH/D7voPf pJYy1PzN7NQlHZ7C6RWyjQ6ZVo=; b=kFHWRCp9YGkF00mtaBO4hXvkW4ffSbhmV PiFXTkf7Qs/yJuHCbcJT3uH/bj0cnT/mMcV9s7udQof6ONrAFYKi50fk9XSPsX3R O8hetQ6zetPnCPGq2J7NW6JorrbkE7rWMPMfDABNBpfPzZxfmReCljowRsQA7TVT Aw3qokq/mOt8/ZI8X0v22it5dlWng31wyboynjspf2pZS5eq5x7Us3zTeP4mfCVL SOhmUpovQMe4AgbQ05dr1UZU892vX17MtWZtjSpSQWtKWGO5AAkBRYYbI7+GJiH8 gfvcIipYnWorsf7APuSykQM6UcvClWvLLQNm55sTUkl0ms4sqXS4Q==
X-ME-Sender: <xms:Or82XGzaeo1KwwAqM_cZzylqj9j-5M7uKbsipbVjG6ehbwbEeJm-LQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrfedvgdeiudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepofgfkfgjfhffhf fvufgtsegrtderreerreejnecuhfhrohhmpedfpfgvihhlucflvghnkhhinhhsfdcuoehn vghilhhjsehfrghsthhmrghilhhtvggrmhdrtghomheqnecuffhomhgrihhnpehgihhthh husgdrtghomhdpjhhmrghprdhiohenucfrrghrrghmpehmrghilhhfrhhomhepnhgvihhl jhesfhgrshhtmhgrihhlthgvrghmrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:Or82XNyaLkRCPvbn4NC-ubX7HhHIo0L1o2CT1dKohQKIUJpGF8o-Fw> <xmx:Or82XOzBavcwzB4-sCojPJOmSPrH5SOLtjgCDBnVKZqup66hFE_uWA> <xmx:Or82XHZWVOVeH-t7VQKXrOKYlNcowJcMZHmLJXdEt8kZoB34IvJ2og> <xmx:Or82XBM3LSJAQfkfOGi9hpzkUOeiCs9OHESWglivEeRFUA9Ek4NH3A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EC4CC203F1; Wed, 9 Jan 2019 22:42:49 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-739-g7452a1e-fmstable-20190103v1
X-Me-Personality: 64588216
Message-Id: <ae65bb55-be63-4117-98d4-a8ff10bc675e@beta.fastmail.com>
In-Reply-To: <98b0db46-93e6-d03b-085d-15f66912fca6@isode.com>
References: <98b0db46-93e6-d03b-085d-15f66912fca6@isode.com>
Date: Wed, 09 Jan 2019 22:42:49 -0500
From: Neil Jenkins <neilj@fastmailteam.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: IETF JMAP Mailing List <jmap@ietf.org>
Content-Type: multipart/alternative; boundary="aecf8264a8d14081a1d4350c01a213ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/tQpPVBfJonCG2WBqU2vVUG6FyFg>
Subject: Re: [Jmap] AD review of draft-ietf-jmap-mail-12
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 03:42:56 -0000

On Thu, 10 Jan 2019, at 4:34 AM, Alexey Melnikov wrote:
> The document is not clear that RFC XXXX is draft-ietf-jmap-core-XX

This is now referenced properly.
 
>  By default, the JMAP server should hide EHLO
>  capabilities that are to do with the transport mechanism and thus
>  are only relevant to the JMAP server
> 
> Is it worth having a registry for these a la Section 6.2 of RFC 8494?

I don't feel a need for one strongly, but we can add one if you think it's necessary?

>  In addition, servers MUST support a psuedo-type called
>  "EmailDelivery" in the push mechanisms. 
> 
> I think an example or pointer to an example would be useful here.

I've added the following example to the document; does this clarify it for you?

*The client has registered for push notifications just for the `EmailDelivery` type (see [@!I-D.ietf-jmap-core] for details of the push system). The user marks an email as read on another device, causing the state string for the `Email` type to change, however as nothing new was added to the store the `EmailDelivery` state does not change and nothing is pushed to the client. A new message arrives in the user's inbox, again causing the `Email` state to change. This time the `EmailDelivery` state also changes, and a StateChange object is pushed to the client with the new state string. The client may then resync to fetch the new message immediately.*

>  In Section 2:
> 
> > Servers MUST forbid sibling Mailboxes with the same name.
> What exactly is this trying to say?

I have rewritten this to say:

*There MUST NOT be two mailboxes with both the same parent and the same name.*

Is that clear? (IMAP is path based so naturally you cannot have two sibling mailboxes with the same name; but JMAP is id based so in theory you could. For IMAP compatibility, and to avoid user confusion, this is forbidden by fiat.)

>  RFC 4314 (IMAP ACL) needs to be referenced at least Informatevely (due 
> to Myrights command reference).

As Bron mentioned, this has already done following the secdir core review.

> IMAP4rev1 (RFC 3501) should be an Informative reference (due to 
> referencing the following terms: subscriptions, internal date).

Added.

> > A server MAY use heuristics to
> > determine a charset and decode the octets, or MAY replace any octet
> > or octet run with the high bit set that violates UTF-8 syntax with
> > the unicode replacement character (U+FFFD).
> 
> Do we really want to encourage the "MAY use heuristics" part? Such email 
> messages are non compliant and thus not in scope for this document!

Well, they appear in the real world so servers do need to deal with them. Using heuristics to determine what the sender intended often provides the best user experience (customers tend not to care that it was the sender that sent something broken…). However, I'm not strongly attached. Would you prefer me to replace this with the following?

*A server SHOULD replace any octet or octet run with the high bit set that violates UTF-8 syntax with the unicode replacement character (U+FFFD).**
*

> So RAW will typically have the leading space, as most generated messages 
> have a space after ":" that terminates the header field name. Is it 
> worth pointing this out to implementors?

Doesn't hurt. I have added:

*This form will typically have a leading space, as most generated messages**
*
*insert a space after the colon that terminates the header field name.*

> >5. Any [RFC6532] UTF-8 values decoded.
> Decoded from what? They are already in UTF-8!

The idea was that your implementation has a unicode string implementation that may not be UTF-8; that's just one possible encoding. You are decoding everything into your internal string format, normalising the unicode (next step) and then it will be encoded as UTF-8 when output as JSON as this is the encoding used for that.

However, I have now just removed this step as I think it just confuses the matter and the step is obvious if required.

> 
>  o Comment
> 
> RFC 5322 defines "Comments" header field (note that it is plural).

Thanks, fixed.

> Also, what about "Keywords" header field?

Sure, I've added that.

> Is it worth explicitly mentioning Content-Description header field here 
> as well?

The spec currently only has restrictions on RFC5322 and RFC2369 headers. Other headers such as this one are not explicitly forbidden so may be used with the form already. So I don't think it's necessary to mention explicitly.

> In Section 4.1.2.3:
> 
> "Any [RFC6532] UTF-8 values MUST be decoded." -- again, decoded from what?

Same as above; I have now removed.

> Is RFC 2231 encoding allowed in this and the following section?

I don't think so, as To, Cc etc. don't have parameter values. Or have I got that wrong?

> 
> In 4.1.3:
> 
> asText and asAddresses is not defined in the document. Did you mean:

This is defined at the top of page 26 in 4.1.3:

o  *:as{header-form}* This means the value is in a parsed form, where
      "{header-form}" is one of the parsed-form names specified above.
      If not given, the value is in _Raw_ form.

> In Section 4.1.4:
> 
> You need to define handling for unrecognised Content-Transfer-Encoding 
> values here.

I have added

*If the transfer encoding is unknown, it is treated as though it had no transfer-encoding.*

> "cid:" needs to Normatively reference RFC 2392. HTML needs a reference 
> as well.

Added.

> In Section 4.2 (and similar text in 4.9):
> 
> maxBodyValueBytes:
> 
>  "The server MUST ensure the truncation results in valid UTF-8 and does 
> not occur mid-codepoint." --
> 
> The document needs to make sure that this is only true for body parts 
> which are known to be textual (e.g. text/plain, text/html, XML, JSON). 
> If a body part is a JPEG image, this requirement doesn't make sense.

As Bron pointed out, bodyValue is only returned like this for text/* types.

> In Sections 4.8/4.9:
> 
> The document needs to explicitly allow EAI messages, not just RFC 5322 
> format.

I'm not entirely sure how to specify this. I have added this sentence to the introduction to each of these methods:

*The server SHOULD support messages with [@!RFC6532] EAI headers.*

Is that sufficient? (And should it be a MUST?)

> In Section 5:
> 
> HTML is now definitely a Normative reference. More details of what is 
> expected in HTML escaping, other than <mark> wrap?

Good, catch this was inadequately specified. I have rewritten it as:

*subject*: `String|null`
If text from the filter matches the subject, this is the subject of the email with the following transformations:
 1. Any instance of the following three characters MUST be replaced by an appropriate HTML entity: & (ampersand), < (less-than sign), and > (greater-than sign). Other characters MAY also be replaced with an HTML entity form.
 2. The matching words/phrases from the filter are wrapped in [@!HTML] `<mark></mark>` tags.
If the subject does not match text from the filter, this property is `null`.

*preview*: `String|null`
If text from the filter matches the plain-text or HTML body, this is the relevant section of the body (converted to plain text if originally HTML), with the same transformations as the *subject* property. It MUST NOT be bigger than 255 octets in size. If the body does not contain a match for the text from the filter, this property is `null`.

> In Section 7:
> 
> Are "MDN" and "DSN" blobIds referencing only the machine parseable part 
> or the whole multipart/report coming back? I think the document should 
> clarify this and (ideally) give some examples.

This is intended to be the whole MIME message a with a top-level content-type of multipart/report; I have added the following line to the two properties to clarify:

*The blob is the whole MIME message (with a top-level content-type of multipart/report), as received.*

> End of Section 7.5:
> 
>  "The server MAY choose to localise this string into the user's 
> preferred language, if known."
> 
> How can this be done?

This is just acknowledging the server may have some kind of out-of-band knowledge about the authenticated user and if so should use it to increase the likelihood of presenting an understandable error to the user. I think anything more is out of scope of the current specification.
 
> In Section 9.3: SMTP XCLIENT should be an Informative reference.

Done.

> In Section 10.4.4 (Registration of JMAP keyword '$answered')
> 
>  Security Considerations: A server implementing this keyword as a
>  shared keyword may disclose that a user considers the message as
>  flagged for urgent/special attention.
> 
> This looks like a cut & paste error from the text specified for $flagged.

Yes, fixed.

Thanks for the review Alexey. All fixes are pushed to the Git repo <https://github.com/jmapio/jmap/issues> for the spec and live on jmap.io <https://jmap.io/spec-mail.html>; I'll cut a new IETF draft once the remaining clarifications have been settled.

Neil.

v2.23.0 | Report a Bug | By Email