Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 17 December 2010 22:02 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: morg@core3.amsl.com
Delivered-To: morg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D80713A6C40; Fri, 17 Dec 2010 14:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.545
X-Spam-Level:
X-Spam-Status: No, score=-102.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLlk8r1ctT+q; Fri, 17 Dec 2010 14:02:33 -0800 (PST)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id EA0F83A6C43; Fri, 17 Dec 2010 14:02:32 -0800 (PST)
Received: from [172.16.2.141] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TQveYwAbxaW5@rufus.isode.com>; Fri, 17 Dec 2010 22:04:19 +0000
Message-ID: <4D0BDE3D.1060101@isode.com>
Date: Fri, 17 Dec 2010 22:03:41 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Adrian.Farrel@huawei.com
References: <AANLkTinMsRXiq_Q-dwdUEMB0vb1jeXMHyyTgCfW=XnVg@mail.gmail.com> <025101cb9c88$a2dd79a0$e8986ce0$@huawei.com>
In-Reply-To: <025101cb9c88$a2dd79a0$e8986ce0$@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: morg@ietf.org, 'Barry Leiba' <barryleiba@computer.org>, 'The IESG' <iesg@ietf.org>
Subject: Re: [MORG] Discuss and Comment positions on draft-ietf-morg-list-specialuse-05
X-BeenThere: morg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Messaging Organization <morg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/morg>
List-Post: <mailto:morg@ietf.org>
List-Help: <mailto:morg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Dec 2010 22:02:34 -0000

Adrian Farrel wrote:

>Hi,
>
>Thanks for the update.
>
>[SNIP]
>
>  
>
>>>Section 7
>>>
>>>      
>>>
>> >  LIST response: There are no security issues with conveying special-
>> >  use information to a client.
>>    
>>
>>>Really. Doesn't the exchange of information imply that there is
>>>potential to intercept the information. Knowledge of the message store
>>>usage may be valuable to someone attempting to access messages.
>>>      
>>>
>>If someone can tap into the IMAP stream, this extra bit of information
>>(which will much of the time be guessable from the mailbox name
>>anyway) is the least of anyone's concern.  I don't believe there are
>>any security issues here beyond what exist in IMAP in the first place.
>> I certainly don't think it's the case that *this* is what will push
>>someone over the edge to using TLS, where it was OK not to use TLS
>>before.    
>>
>
>A way to handle this is to point it out. It is not the document authors' job in
>this sort of case to tell the deployer what to do. But it is the their job to
>say, look, when you are doing this new feature you are increasing your exposure
>and if that worries you, you need to do the security stuff.
>
>That is, IMHO, it is not the authors' position to say how likely this is to tip
>someone into using TLS. Just set out the facts and point out that TLS exists and
>let people decide for themselves.
>
I negotiated some text with Barry on this.