Re: [secdir] Review of draft-freed-sieve-notary-07

Tero Kivinen <kivinen@iki.fi> Wed, 21 April 2010 15:12 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A87328C3D7; Wed, 21 Apr 2010 08:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.153
X-Spam-Level:
X-Spam-Status: No, score=-2.153 tagged_above=-999 required=5 tests=[AWL=0.446, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQEu-xrR2gPE; Wed, 21 Apr 2010 08:12:02 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id B5D1A28C43C; Wed, 21 Apr 2010 07:50:00 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3LEnehP022198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Apr 2010 17:49:40 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3LEneQI001446; Wed, 21 Apr 2010 17:49:40 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19407.4228.54234.610657@fireball.kivinen.iki.fi>
Date: Wed, 21 Apr 2010 17:49:40 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <4BCF04A0.1000905@isode.com>
References: <19396.29206.787824.69029@fireball.kivinen.iki.fi> <4BCF04A0.1000905@isode.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 5 min
Cc: Cyrus Daboo <cyrus@daboo.name>, Ned Freed <ned.freed@mrochek.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-freed-sieve-notary-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2010 15:12:04 -0000

Alexey Melnikov writes:
> >Section 5 also says that the "bytime" is "the initial integer part of
> >the delive-by extension", but then comments that deliver-by by-time is
> >decremented as message passes through the transport infrastructure.
> >This does not make it clear whether the sieve filtering system should
> >also decrement the number while message is waiting to be processed.
> >I.e. if message was received earlier, but it took some time before the
> >sieve email filter could be run on the message, should the "bytime" be
> >the original time from the smtp MAIL FROM BY= part, or whether it is
> >decremented.
> >  
> I don't think it makes sense to decrement the by-time once the message 
> is in the final delivery agent. Otherwise it might be hard to debug 
> Sieve scripts making use of this extension.

What about if email is redirected again, then should the delay caused
by the Sieve script be taken into account?

I do not know whether the Sieve scripts are always run immediately
when the email comes in, or whether it is possible to queue the
messages during peak hours, and then run them through the Sieve
scripts later when the load peak causing servers to be overloaded is
over. In that case it might be useful to decrement the by-time, just
in case the message was something that deliver this if it can be
delivered before the 17:00, but after that return it back to the
sender, so he will know that he needs to call the user, as he knows
the user does not read his emails after that hour (which was one
reason for by-time). 

> >Also the example in 5.1 is wrong, as it is only true if the sieve
> >filter is run exactly when the deliver-by expired.
> >
> Good point.
> 
> >It should compare
> >whether the "bytime" is <= 0, not whether it is equal to 0 (note, that
> >if tye bymode is "return" then the "bytime" never should reach 0, as
> >at that point mail is returned to the sender.
> >
> Yes.
> I would also note that the i;ascii-numeric comparator doesn't work with 
> negative numbers.

Then you might want to express negative (i.e expired by-time) as
setting by-time to zero, but this should be mentioned in the draft.
Other option would be to use strings, I am not sure which one would
better fit to Sieve architecture.

> >In section 7 it should be made clear that ":bytime" parameter "<limit:
> >number>" can be negative too, but it seems that RFC 5228 specifies
> >that numbers can only be non-negative so I am not sure whether the
> >usage is correct or not.  
> >
> I concur, this is a bug.
-- 
kivinen@iki.fi