[lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
Mark Crispin <mrc@CAC.Washington.EDU> Fri, 05 August 2005 10:07 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0z6w-0002im-8b; Fri, 05 Aug 2005 06:07:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0z6t-0002ie-NZ; Fri, 05 Aug 2005 06:07:28 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA00291; Fri, 5 Aug 2005 06:07:24 -0400 (EDT)
Received: from mxout4.cac.washington.edu ([140.142.33.19]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0zdw-00029Y-OP; Fri, 05 Aug 2005 06:41:38 -0400
Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout4.cac.washington.edu (8.13.4+UW05.04/8.13.4+UW05.05) with ESMTP id j75A7Oxg024233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 5 Aug 2005 03:07:24 -0700
X-Auth-Received: from pangtzu.panda.com (pangtzu.panda.com [206.124.149.117]) (authenticated authid=mrc) by smtp.washington.edu (8.13.4+UW05.04/8.13.4+UW05.07) with ESMTP id j75A7LLU021451 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 5 Aug 2005 03:07:23 -0700
Date: Fri, 05 Aug 2005 03:07:21 -0700
From: Mark Crispin <mrc@CAC.Washington.EDU>
To: Randall Gellens <randy@qualcomm.com>
In-Reply-To: <p07000c03bf127ddcfd5c@[192.168.1.13]>
Message-ID: <Pine.OSX.4.63.0508050254260.477@pangtzu.panda.com>
References: <p07000c03bf127ddcfd5c@[192.168.1.13]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b
Cc: Lemonade <lemonade@ietf.org>, iesg@ietf.org
Subject: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
X-BeenThere: lemonade@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Enhancements to Internet email to support diverse service enivronments <lemonade.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:lemonade@ietf.org>
List-Help: <mailto:lemonade-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=subscribe>
Sender: lemonade-bounces@ietf.org
Errors-To: lemonade-bounces@ietf.org
It's 3AM here, so please forgive me if I have a brain fart. On Fri, 5 Aug 2005, Randall Gellens wrote: > Technical: > > Section 3, lines 239-241: "Use of either of these access > identifiers makes it impossible for an attacker, spying on the > session, to use the same URL, either directly or by submission to a > message submission entity." > > The "impossible" depends on the attacker being able to capture the session, > but not be able to use the same submission server or to capture the user's > authentication credentials (for either the IMAP or submit services). While > this seems very obvious, and perhaps not worth saying, it does mean, for > example, that an attacker who shares the same submission server can reuse a > URLAUTH protected by "submit+", I don't see how, given the semantics of submit+<userid>, which requires that "only a userid authorized as a message submission entity on behalf of the specified userid is permitted to use this URL. Normally, this will be the current authorization userid on the submission server. So the attacker must not merely share the same submision server; the attacker must be able to authorize as that userid on the submission server in order to reuse a URL protected by "submit+". I don't think that I need to answer your other comments; the desired document action in each case all seems to be obvious. Please let me know if you feel that you need feedback, since otherwise I intend to do the seemingly obvious when preparing it for an RFC. If I'm not mistaken, this document has finished WGLC and is awaiting IESG action, correct? If it's still in WGLC, I wouldn't mind issuing a new I-D with your action items addressed. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ lemonade mailing list lemonade@ietf.org https://www1.ietf.org/mailman/listinfo/lemonade
- [lemonade] Comments on draft-ietf-lemonade-urlaut… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Eric Burger
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens