[secdir] Secdir last call review of draft-ietf-extra-imap-fetch-preview-03

Stefan Santesson via Datatracker <noreply@ietf.org> Fri, 22 March 2019 10:44 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 453D71315F2; Fri, 22 Mar 2019 03:44:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stefan Santesson via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: extra@ietf.org, ietf@ietf.org, draft-ietf-extra-imap-fetch-preview.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stefan Santesson <stefan@aaa-sec.com>
Message-ID: <155325148211.23112.1549884159837912898@ietfa.amsl.com>
Date: Fri, 22 Mar 2019 03:44:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CXU8QzGO4rF-XMn9Sfd_8A9vEtQ>
Subject: [secdir] Secdir last call review of draft-ietf-extra-imap-fetch-preview-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 10:44:54 -0000

Reviewer: Stefan Santesson
Review result: Has Issues

This document seems to provide a reasonable contribution and I have no opinion
on the subject matter of this document.

However the security consideration section seems to lack relevant information.
The current security considerations section raise the threat of DOS attacks.
It is, however, not clear to me how the risk of DOS is affected or mitigated by
the fact that request for preview data is restricted to authenticated clients.
A discussion of this seems at least to be relevant for the context.