[secdir] Secdir review of draft-ietf-jmap-mail-14

Magnus Nyström <magnusn@gmail.com> Tue, 19 February 2019 02:30 UTC

Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D70130E5D; Mon, 18 Feb 2019 18:30:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46oC6nBCL3_w; Mon, 18 Feb 2019 18:30:22 -0800 (PST)
Received: from mail-yw1-xc2d.google.com (mail-yw1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948A2130E2E; Mon, 18 Feb 2019 18:30:19 -0800 (PST)
Received: by mail-yw1-xc2d.google.com with SMTP id c67so7209972ywa.7; Mon, 18 Feb 2019 18:30:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+Xxz5aDmgh7aDKNYeZfrsqtSV7Vlybzazjjkrc9YIZ4=; b=Uw5O/sFzU5tAZ5Ptbz/xbRrHsxlFlMwbfhx1KL2Y6cE6PkTqKju466nsXK07KGqsS+ R+a176T8HYFtkaMX6qPKQ9B26U3fAE/vEm0d5CHfIQn0lG3lxex4hhntFATXfV7gZ8GG qO1uEBhEqRPrkgf9egLqDNtcKjX4Kkwr7NSO6E3hKULIbWMB/JylusxDR8r/L9Ec7/WF qH/HFFu76K95ZkwjTFg7VGTSQ57L4IBxQsJcp4WcG0chlMWk125hV/uJ+dx4s0a+ZJmp sQP3zB+7Dl5mmK0aWDU55CCGjXzWPS/RpNSbMPLP9vHftDX8xcke1dC3w2olQm1uKQ3r n2zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+Xxz5aDmgh7aDKNYeZfrsqtSV7Vlybzazjjkrc9YIZ4=; b=oLcx//+S0fSF9PMAovu1GVuIiaXoPpEW860D4VvrUXMfON41PMGJUUKR8/Mi2Vyyf8 ZWacCifnkCsXkE1sSzRNbedJQGfYQzHj1Jpc+JqBfKoQqnT/BINYwthU0UIdaoJ+EFit aWpMKHLNRGvpaYoZZifN3sDGA7tKkTrWAYTYwAcB8y9m9nmfW+P1tWQfUHf//tlfnLbT PHoka2SxMxJECfL5VEQnJbYSt9y/DGaxC36U7sLXSrx7uhn8iu9DL5KcM/AIjonQH3KW xD5UAdAyKLU5DsNH9akrXb6h4sDZlPOTxY3cknz4on6uCUyZRdpt3SJ0ddf4ytCGHnj0 aa8Q==
X-Gm-Message-State: AHQUAuYEDV3hMFnulaSXOPxHMAms+8Ah65xY0NAE8aOVgixOo2SX0Chk Bw211aA5YJGfsdhwskcEuPNiI4DzbTCa8cJPc4ebsQ==
X-Google-Smtp-Source: AHgI3IZJxWMRPCEfxMCDKDvm9rrdfhmWat0L4wh26X/JpAXkbC8ov96iPjYGa1MoxLi3vHgc+UZnYnXeD/cDioz3yfw=
X-Received: by 2002:a0d:d4c4:: with SMTP id w187mr21555643ywd.41.1550543418608; Mon, 18 Feb 2019 18:30:18 -0800 (PST)
MIME-Version: 1.0
From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>
Date: Mon, 18 Feb 2019 18:30:07 -0800
Message-ID: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-jmap-mail@ietf.org
Content-Type: multipart/alternative; boundary="000000000000acd203058236055b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/A3mb92k3mO_SMLSBfye9zbrRpqo>
Subject: [secdir] Secdir review of draft-ietf-jmap-mail-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 02:30:24 -0000

 I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document defines a data model for mail over JMAP. JMAP is a JSON-based
protocol for synchronization of data between clients and servers.

   -

   Section 9, the Security Considerations section, generally refers to
draft-ietf-jmap-core for security considerations. I would agree with
this. I wonder for a
   new protocol like this though, if TLS 1.3 should be required?

   -

   Also, for draft-ietf-jmap-core, it would be nice if Basic Auth
could be disallowed for a new protocol like this - trying to move away
from passwords

   - The rest of the Security Considerations section seems fine to me.
   -

   Editorial; Section 9.3: "Milter protocol" - I understand this is
short-hand for "mail filter protocol," but perhaps this should be
written out, maybe with some
   reference? I also could not find the term defined in draft-ietf-jmap-core.

   - Also in 9.3, should "the Milter protocol" be "a Milter protocol"? Not
   sure.

Thanks.
-- Magnus