[secdir] Review of draft-freed-sieve-notary-07

Tero Kivinen <kivinen@iki.fi> Tue, 13 April 2010 13:31 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 4992E3A6A22; Tue, 13 Apr 2010 06:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id WS1v1ARKaxY2; Tue, 13 Apr 2010 06:31:15 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi []) by core3.amsl.com (Postfix) with ESMTP id E9C8A3A6827; Tue, 13 Apr 2010 06:31:14 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost []) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3DDV3wP012475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Apr 2010 16:31:03 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3DDV2io012097; Tue, 13 Apr 2010 16:31:02 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19396.29206.787824.69029@fireball.kivinen.iki.fi>
Date: Tue, 13 Apr 2010 16:31:02 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 20 min
X-Total-Time: 19 min
Cc: draft-freed-sieve-notary.all@tools.ietf.org
Subject: [secdir] Review of draft-freed-sieve-notary-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2010 13:31:16 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This draft provides two things. Firstly it will provide ability for
sieve email filtering program to see the delivery status notification
and deliver by information from the envelope. Secondly it allows
setting those same parameters when using sieve redirect action.

The first part does not have security issues, but the second might
have, as it causes delivery notify emails to be sent which were not
originally requested by the original author.

This can cause problems for the original sender, as he is now getting
the deliver status notifications which he has not requested. The draft
does not explictly specify, but I do assume that the sieve redirect
keeps the original sender intact, so the deliver status notification
messages are sent to the original author, not to the user doing the

The number of delivery status notifications can be quite large,
especially if the ":bytrace" option of the redirect is used, as then
every single future step for email processing, will send "relayed"
status notification, and if there is for example mail loop or similar,
this can be several dozen of status notifications.

This should most likely be mentioned in the security considerations
section more clearly. The security considerations section do warn
about generating status notification, and says that

  "Sites which limit the ability to request success notifications will
   also need to restrict the ability to request them using the
   redirect-dsn extension."

but that does not help at all, as if the original senders site limits
the ability to request notifications, the host running sieve email
filter of the receiver might not have such restrictions, thus receiver
can enable them even when they were forbidden from the sender.

Also in section 5, it should be made clear that the "bytime" can also
be negative, if the bymode is "notify" and the message is already
pasts is notification time.

Section 5 also says that the "bytime" is "the initial integer part of
the delive-by extension", but then comments that deliver-by by-time is
decremented as message passes through the transport infrastructure.
This does not make it clear whether the sieve filtering system should
also decrement the number while message is waiting to be processed.
I.e. if message was received earlier, but it took some time before the
sieve email filter could be run on the message, should the "bytime" be
the original time from the smtp MAIL FROM BY= part, or whether it is

Also the example in 5.1 is wrong, as it is only true if the sieve
filter is run exactly when the deliver-by expired. It should compare
whether the "bytime" is <= 0, not whether it is equal to 0 (note, that
if tye bymode is "return" then the "bytime" never should reach 0, as
at that point mail is returned to the sender.

In section 7 it should be made clear that ":bytime" parameter "<limit:
number>" can be negative too, but it seems that RFC 5228 specifies
that numbers can only be non-negative so I am not sure whether the
usage is correct or not.