Re: [secdir] [Jmap] Secdir last call review of draft-ietf-jmap-core-12

Ned Freed <ned.freed@mrochek.com> Mon, 07 January 2019 16:57 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9A0130F61; Mon, 7 Jan 2019 08:57:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mrochek.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DlhREjP8Y8S; Mon, 7 Jan 2019 08:57:44 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.218.59.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2C86130F4D; Mon, 7 Jan 2019 08:57:43 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01R1Q3OCHS8000CGN6@mauve.mrochek.com>; Mon, 7 Jan 2019 08:52:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=201712; t=1546879959; bh=O47qt/JpRE5dpigGQmc6Fub8funuTwzLroQn+ERfi3k=; h=Cc:Date:From:Subject:In-reply-to:References:To:From; b=Kx/ezKI2hTaHnkWKIZ1OfY4ov0aB5DSBbgrLTZrCpyzUtd3oR4FdN0/bZ7Oa2jKJ5 r1Di8IPu01R+WNyBCFzTO9r+DAKHT0m+9CYxUn9xBvT4nLeo8K/TMIaXJisF7ptYts luHWgsuYCBRhK4fcrHFCwquGV8GnNF55gxUL6ZYA=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01R1N39ADWKW00004L@mauve.mrochek.com>; Mon, 7 Jan 2019 08:52:32 -0800 (PST)
Cc: Ned Freed <ned.freed@mrochek.com>, "Kurt Andersen (IETF)" <kurta+ietf@drkurt.com>, IETF JMAP Mailing List <jmap@ietf.org>, draft-ietf-jmap-core.all@ietf.org, Tero Kivinen <kivinen@iki.fi>, secdir@ietf.org
Message-id: <01R1Q3OA5O7800004L@mauve.mrochek.com>
Date: Mon, 07 Jan 2019 08:43:59 -0800 (PST)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Mon, 07 Jan 2019 12:24:52 +0000" <alpine.DEB.2.20.1901071223520.3160@grey.csi.cam.ac.uk>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com> <01R1M7QIBP9I00004R@mauve.mrochek.com> <alpine.DEB.2.20.1901071223520.3160@grey.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/4ZKHii-rcSyDugiKz1YBH34fG4I>
Subject: Re: [secdir] [Jmap] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 16:57:46 -0000

> Ned Freed <ned.freed@mrochek.com>; wrote:
> >
> > AFAICT it's different in the sense that this is the first push email
> > notification mechanism we have standardized.

> What about RFC 2177 IMAP IDLE?

IDLE is an odd mix of pull and push. I don't think it really meets the criteria
for a pure push mechanism, although on futher consideration I suppose with some
persistance and careful observation of multiple IMAP streams you could perform
this sort of traffic analysis on it.

That said, the fact that the security considerations section in RFC 2177
says in its entirety:

  There are no known security issues with this extension.

is pretty disturbing regardless. At a minimum an IDLE stream leaks information
about a particular mailbox's activity, even when uncorrelated with incoming
messages.

				Ned