[secdir] SecDir review of draft-ietf-eai-imap-utf8-07

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 28 August 2009 16:14 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 8EEBC3A699C for <secdir@core3.amsl.com>; Fri, 28 Aug 2009 09:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.774
X-Spam-Status: No, score=-4.774 tagged_above=-999 required=5 tests=[AWL=1.272, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id bhgV-k5spi9B for <secdir@core3.amsl.com>; Fri, 28 Aug 2009 09:14:37 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM []) by core3.amsl.com (Postfix) with ESMTP id B75163A698C for <secdir@ietf.org>; Fri, 28 Aug 2009 09:14:37 -0700 (PDT)
Received: from [] (75-101-30-90.dsl.dynamic.sonic.net []) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7SGEYIe072458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Aug 2009 09:14:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624083ec6bdad5d3ccd@[]>
Date: Fri, 28 Aug 2009 09:14:31 -0700
To: secdir@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: Pete Resnick <presnick@qualcomm.com>, Harald Alvestrand <harald@alvestrand.no>, Chris Newman <Chris.Newman@Sun.COM>, Xiaodong Lee <lee@cnnic.cn>
Subject: [secdir] SecDir review of draft-ietf-eai-imap-utf8-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2009 16:14:38 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The security sections of this document are fine. The Security Considerations section says, in full:
   The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013]
   apply to this specification, particularly with respect to use of
   UTF-8 in user names and passwords.  Otherwise, this is not believed
   to alter the security considerations of IMAP4rev1.
That should actually sufficient for implementers of this document. The new uses of UTF-8 described here should not cause an additional security problems beyond what IMAP implementers already face.

The language used in the document is probably appropriate for an IMAP developer who has read lots of other IMAP extensions, but is quite rough for people reading this from an i18n or EAI perspective.

The document *is not ready* for IESG review, however. In fact, it should not have been placed in IETF Last Call in its current state. Did anyone even read the Abstract, for crying out loud? Further, the I-D Nits checker finds two hard errors: a line the is obviously too long, and an obsolete normative reference.

Even though this document hasn't garnered any other IETF Last Call comments, it really needs a careful review from the authors and the document shepherd. (The I-D tracker does not say who the document shepherd is, so I have Cc'd the two WG chairs on this note, assuming one of the two of them was the shepherd but that did not get reported to the tracker.)

--Paul Hoffman, Director
--VPN Consortium