RE: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
"Eric Burger" <eburger@brooktrout.com> Mon, 08 August 2005 06:20 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E20zm-0007R0-Vv; Mon, 08 Aug 2005 02:20:23 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E20zj-0007QZ-MP for lemonade@megatron.ietf.org; Mon, 08 Aug 2005 02:20:20 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA02022 for <lemonade@ietf.org>; Mon, 8 Aug 2005 02:20:18 -0400 (EDT)
Received: from salvelinus.brooktrout.com ([204.176.205.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E21XN-000517-Vd for lemonade@ietf.org; Mon, 08 Aug 2005 02:55:06 -0400
Received: from ATLANTIS.Brooktrout.com (oceans11.brooktrout.com [204.176.75.121]) by salvelinus.brooktrout.com (8.12.5/8.12.5) with ESMTP id j786H3Dl009923; Mon, 8 Aug 2005 02:17:03 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
Date: Mon, 08 Aug 2005 02:16:59 -0400
Message-ID: <330A23D8336C0346B5C1A5BB19666647A06172@ATLANTIS.Brooktrout.com>
Thread-Topic: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
Thread-Index: AcWZpbBYbAnc6CULSxKrAvtFk6R1LwCOtsHw
From: Eric Burger <eburger@brooktrout.com>
To: Mark Crispin <mrc@CAC.Washington.EDU>, Randall Gellens <randy@qualcomm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Content-Transfer-Encoding: quoted-printable
Cc: Lemonade <lemonade@ietf.org>
X-BeenThere: lemonade@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Enhancements to Internet email to support diverse service enivronments <lemonade.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:lemonade@ietf.org>
List-Help: <mailto:lemonade-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=subscribe>
Sender: lemonade-bounces@ietf.org
Errors-To: lemonade-bounces@ietf.org
<chair-hat> We do not think that the edits suggested by Randy change the protocol one whit, and thus can be addressed in AUTH48, without the need to generate another draft. Whine if one disagrees. </chair-hat> -----Original Message----- From: lemonade-bounces@ietf.org [mailto:lemonade-bounces@ietf.org] On Behalf Of Mark Crispin Sent: Friday, August 05, 2005 6:07 AM To: Randall Gellens Cc: Lemonade; iesg@ietf.org Subject: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt It's 3AM here, so please forgive me if I have a brain fart. On Fri, 5 Aug 2005, Randall Gellens wrote: > Technical: > > Section 3, lines 239-241: "Use of either of these access > identifiers makes it impossible for an attacker, spying on the > session, to use the same URL, either directly or by submission to a > message submission entity." > > The "impossible" depends on the attacker being able to capture the session, > but not be able to use the same submission server or to capture the user's > authentication credentials (for either the IMAP or submit services). While > this seems very obvious, and perhaps not worth saying, it does mean, for > example, that an attacker who shares the same submission server can reuse a > URLAUTH protected by "submit+", I don't see how, given the semantics of submit+<userid>, which requires that "only a userid authorized as a message submission entity on behalf of the specified userid is permitted to use this URL. Normally, this will be the current authorization userid on the submission server. So the attacker must not merely share the same submision server; the attacker must be able to authorize as that userid on the submission server in order to reuse a URL protected by "submit+". I don't think that I need to answer your other comments; the desired document action in each case all seems to be obvious. Please let me know if you feel that you need feedback, since otherwise I intend to do the seemingly obvious when preparing it for an RFC. If I'm not mistaken, this document has finished WGLC and is awaiting IESG action, correct? If it's still in WGLC, I wouldn't mind issuing a new I-D with your action items addressed. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ lemonade mailing list lemonade@ietf.org https://www1.ietf.org/mailman/listinfo/lemonade _______________________________________________ lemonade mailing list lemonade@ietf.org https://www1.ietf.org/mailman/listinfo/lemonade
- [lemonade] Comments on draft-ietf-lemonade-urlaut… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Eric Burger
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens