[MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05

Barry Leiba <barryleiba@computer.org> Wed, 15 December 2010 15:56 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: morg@core3.amsl.com
Delivered-To: morg@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id CC79D28C18C; Wed, 15 Dec 2010 07:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.643
X-Spam-Status: No, score=-102.643 tagged_above=-999 required=5 tests=[AWL=0.334, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id wAubvjHWwCho; Wed, 15 Dec 2010 07:56:44 -0800 (PST)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com []) by core3.amsl.com (Postfix) with ESMTP id C455128C18F; Wed, 15 Dec 2010 07:56:44 -0800 (PST)
Received: by iwn39 with SMTP id 39so2334745iwn.27 for <multiple recipients>; Wed, 15 Dec 2010 07:58:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ZVhpDu8QfCO6RhazPfFyUQBkQyCr9a+4MhuVWy3rdRM=; b=Iu1A4lUqswAjESLdP+BJvdftUKZdTY8YBKlXlZUnKmWL29QmnfekBF9+D3jAW+u10b zNpiPSHRiM7p4wvKRfccNY0mX0s5TB9o0ClWxnsG+NG01AprOBztd7K+taFBBLM22q5u PEBixKc57lfdhD6m/cbG6HKwVT+Bjl6i5UxVQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; b=VQp4QdxlNmY7sVWVfFOE+WqD3r6BwFtsyVEngV2rsas0JoO+EsRgfM3isbY6nVrMF4 FBV4pocumdQ59L2bVhBBkuS/Q4qt8Dadm7+SgmFaa3hUYE53ynt5IicFjm0+ikrv9dXk aiyfTLPJgKdSRi0uY4X29uHnS8SFYk7dvM2G4=
MIME-Version: 1.0
Received: by with SMTP id l2mr5027015iba.34.1292428707355; Wed, 15 Dec 2010 07:58:27 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by with HTTP; Wed, 15 Dec 2010 07:58:27 -0800 (PST)
Date: Wed, 15 Dec 2010 10:58:27 -0500
X-Google-Sender-Auth: vuyaqSG3xkV2BlAUyNPHMsTplW0
Message-ID: <AANLkTinMsRXiq_Q-dwdUEMB0vb1jeXMHyyTgCfW=XnVg@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Sean Turner <turners@ieca.com>, Adrian Farrel <adrian.farrel@huawei.com>, Ralph Droms <rdroms.ietf@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: morg@ietf.org, The IESG <iesg@ietf.org>
Subject: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05
X-BeenThere: morg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Messaging Organization <morg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/morg>
List-Post: <mailto:morg@ietf.org>
List-Help: <mailto:morg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 15:56:45 -0000

(Adding the MORG mailing list.)

On Wed, Dec 15, 2010 at 10:04, Sean Turner <turners@ieca.com> wrote:
> This is a modified position.  I've removed those that have been addressed.
> The remaining two will be cleared after the RFC editor's note/new version
> has been posted:
> #2) Are there any security considerations with combining special-use to the
> metadata extension?
> #3) There's also some text Barry & Chris have agreed to incorporate based
> on Chris' SECDIR review:
> http://www.ietf.org/mail-archive/web/secdir/current/msg02277.html

I've just submitted an -06 version that has the new paragraph in the
security considerations, as discussed with Chris, and that also
mentions metadata along with CREATE USE.

This version also addresses Ralph's non-blocking comment with this change:

   All of the above attributes are OPTIONAL, and any given server or
   message store may support any combination of the attributes, or none
   at all.  In most cases there will likely be at most one mailbox with
   a given attribute for a given user, but in some server or message
   store implementations it might be possible for multiple mailboxes to
   have the same special-use attribute.

Also, in response to Adrian's non-blocking comment, I've lower-cased
the words "may" and "optional" in the abstract and introduction.  On
capitali[s/z]ing the section headings, I guess the RFC editor will
decide the style here.  Adrian made one more point in his comment:

> Section 7
 >  LIST response: There are no security issues with conveying special-
 >  use information to a client.
> Really. Doesn't the exchange of information imply that there is
> potential to intercept the information. Knowledge of the message store
> usage may be valuable to someone attempting to access messages.

If someone can tap into the IMAP stream, this extra bit of information
(which will much of the time be guessable from the mailbox name
anyway) is the least of anyone's concern.  I don't believe there are
any security issues here beyond what exist in IMAP in the first place.
 I certainly don't think it's the case that *this* is what will push
someone over the edge to using TLS, where it was OK not to use TLS