[secdir] Secdir last call review of draft-ietf-extra-imap-fetch-preview-03
Stefan Santesson via Datatracker <noreply@ietf.org> Fri, 22 March 2019 10:44 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 453D71315F2; Fri, 22 Mar 2019 03:44:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stefan Santesson via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: extra@ietf.org, ietf@ietf.org, draft-ietf-extra-imap-fetch-preview.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stefan Santesson <stefan@aaa-sec.com>
Message-ID: <155325148211.23112.1549884159837912898@ietfa.amsl.com>
Date: Fri, 22 Mar 2019 03:44:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CXU8QzGO4rF-XMn9Sfd_8A9vEtQ>
Subject: [secdir] Secdir last call review of draft-ietf-extra-imap-fetch-preview-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 10:44:54 -0000
Reviewer: Stefan Santesson Review result: Has Issues This document seems to provide a reasonable contribution and I have no opinion on the subject matter of this document. However the security consideration section seems to lack relevant information. The current security considerations section raise the threat of DOS attacks. It is, however, not clear to me how the risk of DOS is affected or mitigated by the fact that request for preview data is restricted to authenticated clients. A discussion of this seems at least to be relevant for the context.
- [secdir] Secdir last call review of draft-ietf-ex… Stefan Santesson via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Michael Slusarz