IETF Logo Mail Archive

Re: [secdir] SECDIR Review of draft-ietf-qresync-rfc5162bis-10

Jeffrey Hutzelman <jhutz@cmu.edu> Fri, 14 February 2014 01:37 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D12541A001E for <secdir@ietfa.amsl.com>; Thu, 13 Feb 2014 17:37:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBr8_FnniWGL for <secdir@ietfa.amsl.com>; Thu, 13 Feb 2014 17:37:13 -0800 (PST)
Received: from smtp02.srv.cs.cmu.edu (smtp02.srv.cs.cmu.edu [128.2.217.201]) by ietfa.amsl.com (Postfix) with ESMTP id B91591A0016 for <secdir@ietf.org>; Thu, 13 Feb 2014 17:37:13 -0800 (PST)
Received: from [128.237.246.30] ([128.237.246.30]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id s1E1b6KV008175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 13 Feb 2014 20:37:10 -0500 (EST)
Message-ID: <1392341826.4569.14.camel@destiny.pc.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Phillip Hallam-Baker <hallam@gmail.com>
Date: Thu, 13 Feb 2014 20:37:06 -0500
In-Reply-To: <CAMm+LwhWJ2Csb0V3ymvULscfRuxDkuF11FRBbFv4Bt_2LqZFbQ@mail.gmail.com>
References: <CAMm+LwhWJ2Csb0V3ymvULscfRuxDkuF11FRBbFv4Bt_2LqZFbQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.4-0ubuntu1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.201
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/5WqptnUvRXFFJuQJ1O1Je5m_SbI
Cc: "secdir@ietf.org" <secdir@ietf.org>, jhutz@cmu.edu
Subject: Re: [secdir] SECDIR Review of draft-ietf-qresync-rfc5162bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 01:37:16 -0000

On Thu, 2014-02-13 at 19:31 -0500, Phillip Hallam-Baker wrote:


> We have a problem here, the security considerations in the draft are
> a back reference to the original protocol. This is the security references
> section of IMAP, a core Internet protocol in their entirety:
> 
> 11 <http://tools.ietf.org/html/rfc3501#section-11>.     Security Considerations
> 
>    IMAP4rev1 protocol transactions, including electronic mail data, are
>    sent in the clear over the network unless protection from snooping is
>    negotiated.  This can be accomplished either by the use of STARTTLS,
>    negotiated privacy protection in the AUTHENTICATE command, or some
>    other protection mechanism.

Nope.  That's the entirety of the _introduction_ to the security
considerations section in RFC33501.  It is followed by two subsections
which give a fairly detailed treatment of issues related to
authentication, connection security, and handling of passwords.

That's not to say the security considerations in the IMAP spec are
complete and perfect; they're certainly not.  For example, there is no
discussion of authorization and access control.  However, incomplete is
not the same as nonexistent, and there is no need here to be alarmist.

-- Jeff

v2.23.0 | Report a Bug | By Email