[secdir] SECDIR Review of draft-ietf-qresync-rfc5162bis-10

Phillip Hallam-Baker <hallam@gmail.com> Fri, 14 February 2014 00:31 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 38DEE1A0007 for <secdir@ietfa.amsl.com>; Thu, 13 Feb 2014 16:31:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id salGnkecZzfd for <secdir@ietfa.amsl.com>; Thu, 13 Feb 2014 16:31:04 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 92AE71A0006 for <secdir@ietf.org>; Thu, 13 Feb 2014 16:31:03 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id y1so8876746lam.13 for <secdir@ietf.org>; Thu, 13 Feb 2014 16:31:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=V4aWjvTPZ+rCrAICl4aVKIKvWgHemOpn6kEsEZKQ4dk=; b=r93HsHEGijeKY9fciQjh8yPBGdY+iC2rOxS6fORfEkBJRftQP3VoQqkwBCs8U2DomD idQQ8enAO+h4KtRN/q0kWLAf2mgPhU8U/TtqVWVtKzUNd8r667TrOXVYfvXZiQwdCbjD x3WINpsEXEEUV1QfxjClOzC+Wwtzn9uKZ5yYa0Y3S8ZZ1eYkI54uaSEQKEbLJ/8VQf2e kKAdNE71RkHphet1gpQSWd1AGtEWvOS2u/i0F6qpwLNmqQ3S5WF2Rzt+jwgLQOyMvzQv YwAmufZA1PyfS3JgPIdlwTDXBja58MCr4Yd1mst3ZUFEhWikplSZmZ60EL2q3O9o0tqn 94Tg==
MIME-Version: 1.0
X-Received: by with SMTP id ub4mr2858376lac.13.1392337861606; Thu, 13 Feb 2014 16:31:01 -0800 (PST)
Received: by with HTTP; Thu, 13 Feb 2014 16:31:01 -0800 (PST)
Date: Thu, 13 Feb 2014 19:31:01 -0500
Message-ID: <CAMm+LwhWJ2Csb0V3ymvULscfRuxDkuF11FRBbFv4Bt_2LqZFbQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="001a11344e5aa6009104f252ebc0"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/0mdYPg_XbuBCTkGATO4-3N8UdGg
Subject: [secdir] SECDIR Review of draft-ietf-qresync-rfc5162bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 00:31:06 -0000

  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

We have a problem here, the security considerations in the draft are
a back reference to the original protocol. This is the security references
section of IMAP, a core Internet protocol in their entirety:

11 <http://tools.ietf.org/html/rfc3501#section-11>.     Security Considerations

   IMAP4rev1 protocol transactions, including electronic mail data, are
   sent in the clear over the network unless protection from snooping is
   negotiated.  This can be accomplished either by the use of STARTTLS,
   negotiated privacy protection in the AUTHENTICATE command, or some
   other protection mechanism.

Website: http://hallambaker.com/