Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05

Alexey Melnikov <> Fri, 17 December 2010 22:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D80713A6C40; Fri, 17 Dec 2010 14:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.545
X-Spam-Status: No, score=-102.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NLlk8r1ctT+q; Fri, 17 Dec 2010 14:02:33 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EA0F83A6C43; Fri, 17 Dec 2010 14:02:32 -0800 (PST)
Received: from [] ( []) by (submission channel) via TCP with ESMTPA id <>; Fri, 17 Dec 2010 22:04:19 +0000
Message-ID: <>
Date: Fri, 17 Dec 2010 22:03:41 +0000
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
References: <> <025101cb9c88$a2dd79a0$e8986ce0$>
In-Reply-To: <025101cb9c88$a2dd79a0$e8986ce0$>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc:, 'Barry Leiba' <>, 'The IESG' <>
Subject: Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Messaging Organization <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Dec 2010 22:02:34 -0000

Adrian Farrel wrote:

>Thanks for the update.
>>>Section 7
>> >  LIST response: There are no security issues with conveying special-
>> >  use information to a client.
>>>Really. Doesn't the exchange of information imply that there is
>>>potential to intercept the information. Knowledge of the message store
>>>usage may be valuable to someone attempting to access messages.
>>If someone can tap into the IMAP stream, this extra bit of information
>>(which will much of the time be guessable from the mailbox name
>>anyway) is the least of anyone's concern.  I don't believe there are
>>any security issues here beyond what exist in IMAP in the first place.
>> I certainly don't think it's the case that *this* is what will push
>>someone over the edge to using TLS, where it was OK not to use TLS
>A way to handle this is to point it out. It is not the document authors' job in
>this sort of case to tell the deployer what to do. But it is the their job to
>say, look, when you are doing this new feature you are increasing your exposure
>and if that worries you, you need to do the security stuff.
>That is, IMHO, it is not the authors' position to say how likely this is to tip
>someone into using TLS. Just set out the facts and point out that TLS exists and
>let people decide for themselves.
I negotiated some text with Barry on this.