Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05

Adrian Farrel <Adrian.Farrel@huawei.com> Wed, 15 December 2010 18:46 UTC

Return-Path: <Adrian.Farrel@huawei.com>
X-Original-To: morg@core3.amsl.com
Delivered-To: morg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C63CB28C0F2; Wed, 15 Dec 2010 10:46:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.875
X-Spam-Level:
X-Spam-Status: No, score=-103.875 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pw-s4U9sEWFm; Wed, 15 Dec 2010 10:46:33 -0800 (PST)
Received: from usaga01-in.huawei.com (usaga01-in.huawei.com [206.16.17.211]) by core3.amsl.com (Postfix) with ESMTP id F231028C0F1; Wed, 15 Dec 2010 10:46:32 -0800 (PST)
Received: from huawei.com (usaga01-in [172.18.4.6]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LDH005LRG8FV1@usaga01-in.huawei.com>; Wed, 15 Dec 2010 10:48:15 -0800 (PST)
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) by usaga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0LDH0044YG8DZZ@usaga01-in.huawei.com>; Wed, 15 Dec 2010 10:48:15 -0800 (PST)
Date: Wed, 15 Dec 2010 18:48:15 +0000
From: Adrian Farrel <Adrian.Farrel@huawei.com>
In-reply-to: <AANLkTinMsRXiq_Q-dwdUEMB0vb1jeXMHyyTgCfW=XnVg@mail.gmail.com>
To: 'Barry Leiba' <barryleiba@computer.org>
Message-id: <025101cb9c88$a2dd79a0$e8986ce0$@huawei.com>
MIME-version: 1.0
X-Mailer: Microsoft Outlook 14.0
Content-type: text/plain; charset=us-ascii
Content-language: en-gb
Content-transfer-encoding: 7BIT
Thread-index: AQFQPstyxqhI3JfnFRtcrWpgUz0QFJSYkBew
References: <AANLkTinMsRXiq_Q-dwdUEMB0vb1jeXMHyyTgCfW=XnVg@mail.gmail.com>
X-Mailman-Approved-At: Thu, 16 Dec 2010 03:04:10 -0800
Cc: morg@ietf.org, 'The IESG' <iesg@ietf.org>
Subject: Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05
X-BeenThere: morg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Adrian.Farrel@huawei.com
List-Id: Messaging Organization <morg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/morg>
List-Post: <mailto:morg@ietf.org>
List-Help: <mailto:morg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 18:46:33 -0000

Hi,

Thanks for the update.

[SNIP]

> > Section 7
> >
>  >  LIST response: There are no security issues with conveying special-
>  >  use information to a client.
> >
> > Really. Doesn't the exchange of information imply that there is
> > potential to intercept the information. Knowledge of the message store
> > usage may be valuable to someone attempting to access messages.
> 
> If someone can tap into the IMAP stream, this extra bit of information
> (which will much of the time be guessable from the mailbox name
> anyway) is the least of anyone's concern.  I don't believe there are
> any security issues here beyond what exist in IMAP in the first place.
>  I certainly don't think it's the case that *this* is what will push
> someone over the edge to using TLS, where it was OK not to use TLS
> before.

A way to handle this is to point it out. It is not the document authors' job in
this sort of case to tell the deployer what to do. But it is the their job to
say, look, when you are doing this new feature you are increasing your exposure
and if that worries you, you need to do the security stuff.

That is, IMHO, it is not the authors' position to say how likely this is to tip
someone into using TLS. Just set out the facts and point out that TLS exists and
let people decide for themselves.

A