Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12

Tero Kivinen <kivinen@iki.fi> Fri, 04 January 2019 23:00 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436D5130EA1; Fri, 4 Jan 2019 15:00:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0e2L44XmxcYy; Fri, 4 Jan 2019 15:00:07 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F9C126BED; Fri, 4 Jan 2019 15:00:06 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x04N023K004057 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 5 Jan 2019 01:00:02 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x04N02MQ020933; Sat, 5 Jan 2019 01:00:02 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <23599.58738.605524.89790@fireball.acr.fi>
Date: Sat, 5 Jan 2019 01:00:02 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Kurt Andersen \(IETF\)" <kurta+ietf@drkurt.com>
Cc: secdir@ietf.org, IETF JMAP Mailing List <jmap@ietf.org>, draft-ietf-jmap-core.all@ietf.org
In-Reply-To: <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CWM5HeuEn11jl5WyrQ0D-Q15jwA>
Subject: Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 23:00:10 -0000

Kurt Andersen (IETF) writes:
> On Thu, Jan 3, 2019 at 4:04 AM Tero Kivinen <kivinen@iki.fi>; wrote:
> 
>     Reviewer: Tero Kivinen
>     Review result: Has Issues
>    
>     This document also has quite a lot of privacy concerns which are not
>     addressed by it. For example email delivery and event notifications can
>     leak lots of information even to passive attackers.
> 
> How is this any different than the risks present in current mechanisms
> (websockets, HTTP, MAPI, IMAP, etc.)? I don't see this as a new risk being
> introduced by the JMAP protocol.

There is some similarities and differences. For example http does not
have built in event notification system. In most of the other
protocols the event system notification system is built on top of the
other protocol running over for example http.

Here if I understood correctly the event notifications are generated
automatically and application writer using generic JMAP server backend
might not even have any control how those events are generated and
when they are generated. Because of this I think this issue belongs to
the JMAP protocol document.

The main difference with event notification system is, that it is not
between the two peers running the JMAP protocol, or two parties
running some external API connected to JMAP. It involves the third
party, i.e., the party where the notifications are sent to. 

Also the examples given in the document talk about mail, calendar,
contacts etc, which all are data related to privacy and where there
are lots of privacy issues, so clearly this JMAP is designed to be
used in environments where privacy concerns are important, but still
it is silent about them. 

>     Of course sharing mailboxes between multiple users (one of the
>     examples given in 1.6.2), has lots of privacy issues. 
> 
> Again, this is not a new risk being introduced by JMAP. It seems unfair to
> saddle the JMAP protocol with the responsibility of documenting a comprehensive
> set of privacy and security risks for bad or risky behaviours that have been a
> wide part of common practice for decades.

If you provide example of bad and risky behaviours in your document,
you need to also include the warnings about it. Thats why I did
suggested you using different example (i.e., shared work calendar,
shared between co-workers, or shared calendar between family members).

And if you write protocol that can be used to do all kind of things
you should really write comprehensive set of privacy and security
risks inherintly associated with the JMAP protocol, and also include
some generic warnings about common mistakes that users of JMAP can do. 
-- 
kivinen@iki.fi