IETF Logo Mail Archive

Re: Request to review draft-yevstifeyev-pops-uri-scheme-02

Mykyta Yevstifeyev <evnikita2@gmail.com> Wed, 16 March 2011 07:42 UTC

Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2G7gxq3087724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Mar 2011 00:42:59 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p2G7gxHo087723; Wed, 16 Mar 2011 00:42:59 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from mail-yi0-f43.google.com (mail-yi0-f43.google.com [209.85.218.43]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2G7gucv087718 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <ietf-pop3ext@imc.org>; Wed, 16 Mar 2011 00:42:57 -0700 (MST) (envelope-from evnikita2@gmail.com)
Received: by yia13 with SMTP id 13so659837yia.16 for <ietf-pop3ext@imc.org>; Wed, 16 Mar 2011 00:42:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=h7Gr5uZ/rS7fQFOkoANVn4A3Kw73E4jI3GhCifGMl3Q=; b=Vf4KBmbbisYROU0ENsmDmS7PPHechD3E4X2/PcdD+znxdCjU5165ak4T98b+ADToTS GJZufbD3dvsRg8lfa16ZGan+TqLHYbXCDOSs+2qEf9viZS+RAawJEihxZNzVf1M5VAC/ Ng3EHD9meT0o2QUJQR10frUVLz2O5coyESkAs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=qCI5rDja7kTR6/+LlmHiiDYzXQCj7yQdI6AF9gMUylNZuWn3iLfr8yydMC5BXk5zgs deB/ybyVB+YbqGTIdwNhpWfoRGNmHcHU98q/hJoeFxVu3lH7Q+pOlnG4UpI+NU0T77f8 v4CI1PmxktSEG9HSz7nuA/SJBFfnR1we1qwsE=
MIME-Version: 1.0
Received: by 10.151.43.8 with SMTP id v8mr1001007ybj.296.1300261374081; Wed, 16 Mar 2011 00:42:54 -0700 (PDT)
Received: by 10.150.219.5 with HTTP; Wed, 16 Mar 2011 00:42:54 -0700 (PDT)
In-Reply-To: <6D07F4374764D58687F8B4B7@96B2F16665FF96BAE59E9B90>
References: <4D7F86F1.1070507@gmail.com> <6D07F4374764D58687F8B4B7@96B2F16665FF96BAE59E9B90>
Date: Wed, 16 Mar 2011 09:42:54 +0200
Message-ID: <AANLkTim7o-mVfo4F-8zXXvCK8sZcfcXs-9cECt0J-_ac@mail.gmail.com>
Subject: Re: Request to review draft-yevstifeyev-pops-uri-scheme-02
From: Mykyta Yevstifeyev <evnikita2@gmail.com>
To: Chris Newman <chris.newman@oracle.com>
Cc: draft-yevstifeyev-pops-uri-scheme@tools.ietf.org, ietf-pop3ext@imc.org, uri-review@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

Chris,

Thanks for your comments.  See some responses in-line.

2011/3/15, Chris Newman <chris.newman@oracle.com>:
> This document fails to provide and rules with respect to identity checks
> for TLS with the POP application. A reference to RFC 5246 is not sufficient
> as TLS leaves identity issues to the application. Examples of such rules
> are in RFC 2595 section 2.4 and 2.5. Or more recently, RFC 4513 section
> 3.1.2, 3.1.3.
>
IMO that procedure described in RFC 2595 apply to this case as well.
I suppose it can be added by normative reference in the next version.
>
> This document fails to state whether the POP server is in AUTHORIZATION
> state or TRANSACTION state upon conclusion of the SSL/TLS negotiation on
> the pops port.
>
It's considered that the user agent will enter AUTHORIZATION state
after TLS negotiation.  The case when it will be already in
TRANSACTION state is described in RFC 2595.
>
> Without such a statement in a standard document, the "pops" protocol is a
> non-interoperable protocol when client certificate authentication is used
> and thus is not suitable for standards track recognition.
>
> If you state that the POP server is in AUTHORIZATION state after the TLS
> negotiation completes, even if a client certificate is supplied, then your
> document will be consistent with RFC 2595 and the EXTERNAL SASL
> mechanism
> can be used to enter TRANSACTION state, but the document will not
> necessarily be consistent with the majority behavior of de-facto pops
> implementations that support client certificates.
>
You mean the implementations of RFC 2595, while the proposed document
contains different POP3 over TLS binding at all.  The purpose of it is
to provide another procedure, not that described in 2595.

All the best,
Mykyta Yevstifeyev
>
> If you state that the POP server is in TRANSACTION state after the TLS
> negotiation completes if a valid client certificate was supplied and that
> the TLS negotiation MUST fail and/or the connection MUST be closed by the
> server if the client certificate is not valid, that means clients will have
> to implement RFC 2595 STLS if they wish to use an authorization identity
> different from the authentication identity.
>
> 		- Chris
>
> --On March 15, 2011 17:34:09 +0200 Mykyta Yevstifeyev <evnikita2@gmail.com>
> wrote:
>> Hi,
>>
>> I'm writing to request a review of draft-yevstifeyev-pops-uri-scheme-02,
>> that can be found here:
>> http://tools.ietf.org/html/draft-yevstifeyev-pops-uri-scheme-02
>>
>> The document specifies the 'pops' URI scheme to designate the access to
>> POP3 mailboxes available over secure TLS connections and may be
>> considered to be appropriate for discussion here.
>>
>> Any comments directed to draft-yevstifeyev-pops-uri-scheme@tools.ietf.org
>> and copied to ietf-pop3ext@imc.org and uri-review@ietf.org are welcome.
>>
>> All the best,
>> Mykyta Yevstifeyev
>
>

v2.23.0 | Report a Bug | By Email