Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12
Tero Kivinen <kivinen@iki.fi> Fri, 04 January 2019 23:00 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436D5130EA1; Fri, 4 Jan 2019 15:00:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0e2L44XmxcYy; Fri, 4 Jan 2019 15:00:07 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F9C126BED; Fri, 4 Jan 2019 15:00:06 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x04N023K004057 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 5 Jan 2019 01:00:02 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x04N02MQ020933; Sat, 5 Jan 2019 01:00:02 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <23599.58738.605524.89790@fireball.acr.fi>
Date: Sat, 05 Jan 2019 01:00:02 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Kurt Andersen (IETF)" <kurta+ietf@drkurt.com>
Cc: secdir@ietf.org, IETF JMAP Mailing List <jmap@ietf.org>, draft-ietf-jmap-core.all@ietf.org
In-Reply-To: <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CWM5HeuEn11jl5WyrQ0D-Q15jwA>
Subject: Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 23:00:10 -0000
Kurt Andersen (IETF) writes: > On Thu, Jan 3, 2019 at 4:04 AM Tero Kivinen <kivinen@iki.fi> wrote: > > Reviewer: Tero Kivinen > Review result: Has Issues > > This document also has quite a lot of privacy concerns which are not > addressed by it. For example email delivery and event notifications can > leak lots of information even to passive attackers. > > How is this any different than the risks present in current mechanisms > (websockets, HTTP, MAPI, IMAP, etc.)? I don't see this as a new risk being > introduced by the JMAP protocol. There is some similarities and differences. For example http does not have built in event notification system. In most of the other protocols the event system notification system is built on top of the other protocol running over for example http. Here if I understood correctly the event notifications are generated automatically and application writer using generic JMAP server backend might not even have any control how those events are generated and when they are generated. Because of this I think this issue belongs to the JMAP protocol document. The main difference with event notification system is, that it is not between the two peers running the JMAP protocol, or two parties running some external API connected to JMAP. It involves the third party, i.e., the party where the notifications are sent to. Also the examples given in the document talk about mail, calendar, contacts etc, which all are data related to privacy and where there are lots of privacy issues, so clearly this JMAP is designed to be used in environments where privacy concerns are important, but still it is silent about them. > Of course sharing mailboxes between multiple users (one of the > examples given in 1.6.2), has lots of privacy issues. > > Again, this is not a new risk being introduced by JMAP. It seems unfair to > saddle the JMAP protocol with the responsibility of documenting a comprehensive > set of privacy and security risks for bad or risky behaviours that have been a > wide part of common practice for decades. If you provide example of bad and risky behaviours in your document, you need to also include the warnings about it. Thats why I did suggested you using different example (i.e., shared work calendar, shared between co-workers, or shared calendar between family members). And if you write protocol that can be used to do all kind of things you should really write comprehensive set of privacy and security risks inherintly associated with the JMAP protocol, and also include some generic warnings about common mistakes that users of JMAP can do. -- kivinen@iki.fi
- [secdir] Secdir last call review of draft-ietf-jm… Tero Kivinen
- Re: [secdir] Secdir last call review of draft-iet… Kurt Andersen (IETF)
- Re: [secdir] Secdir last call review of draft-iet… Barry Leiba
- Re: [secdir] [Jmap] Secdir last call review of dr… Ned Freed
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] [Jmap] Secdir last call review of dr… Jeffrey Hutzelman
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk
- Re: [secdir] [Jmap] Secdir last call review of dr… Ned Freed
- Re: [secdir] Secdir last call review of draft-iet… Bron Gondwana
- Re: [secdir] Secdir last call review of draft-iet… Neil Jenkins
- Re: [secdir] Secdir last call review of draft-iet… Barry Leiba
- Re: [secdir] Secdir last call review of draft-iet… Bron Gondwana
- Re: [secdir] [Jmap] Secdir last call review of dr… Tony Finch
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] [Jmap] Secdir last call review of dr… Ned Freed
- Re: [secdir] [Jmap] Secdir last call review of dr… Barry Leiba
- Re: [secdir] Secdir last call review of draft-iet… Neil Jenkins
- Re: [secdir] Secdir last call review of draft-iet… Bron Gondwana
- Re: [secdir] Secdir last call review of draft-iet… Neil Jenkins
- Re: [secdir] [Jmap] Secdir last call review of dr… Neil Jenkins
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen
- Re: [secdir] [Jmap] Secdir last call review of dr… Ned Freed
- Re: [secdir] Secdir last call review of draft-iet… Neil Jenkins
- Re: [secdir] [Jmap] Secdir last call review of dr… Neil Jenkins
- Re: [secdir] [Jmap] Secdir last call review of dr… Tero Kivinen
- Re: [secdir] [Jmap] Secdir last call review of dr… Neil Jenkins
- Re: [secdir] Secdir last call review of draft-iet… Tero Kivinen