[secdir] Re: [Extra] Secdir last call review of draft-ietf-extra-imap-messagelimit-08

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 12 June 2024 09:27 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798A5C169420; Wed, 12 Jun 2024 02:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptO0uHxWz3eV; Wed, 12 Jun 2024 02:27:22 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id A9886C151998; Wed, 12 Jun 2024 02:27:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1718184435; d=isode.com; s=june2016; i=@isode.com; bh=i7f0++m84NBS88c0EqzSDDFljgd/qNM4D73EYG6ITwc=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ZTItlK5sopp1ZSdqRU27ysBf2B8TvXEM9T7pBFcilFWYvcOvgHPjUQ39B5TQxZ1UfPKiX2 VBpIEVcKBMVfzBiJwPeMn6FepubRgjKXHSdBX+UUDvB5THYxYCh7/UI1L0s5uH39azD/h8 wDoFNjiiyMCNhXY20TSizaTgkD/nD60=;
Received: from [192.168.1.222] ((unknown) [31.117.79.19]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <Zmlp8QAFhqPD@statler.isode.com>; Wed, 12 Jun 2024 10:27:15 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <448c54ea-9c48-457b-85ed-06d229a36dc6@isode.com>
Date: Wed, 12 Jun 2024 10:27:09 +0100
User-Agent: Mozilla Thunderbird
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, secdir@ietf.org
References: <171719017518.11224.15256345384830566106@ietfa.amsl.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <171719017518.11224.15256345384830566106@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------4WShCvGIAGEYQ5kWGyqYx2cA"
Content-Language: en-GB
Message-ID-Hash: HZJAKC6GK3FLMTYQUI2KNL4L3N7JIDGR
X-Message-ID-Hash: HZJAKC6GK3FLMTYQUI2KNL4L3N7JIDGR
X-MailFrom: alexey.melnikov@isode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-extra-imap-messagelimit.all@ietf.org, extra@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Extra] Secdir last call review of draft-ietf-extra-imap-messagelimit-08
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CeFs7WHLrGsFv0JUTjyqXskUIHk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Hi Kathleen,

Thank you for your review!

On 31/05/2024 22:16, Kathleen Moriarty via Datatracker wrote:
> Reviewer: Kathleen Moriarty
> Review result: Ready
>
> The extension restricts the number of messages that can be processed with a
> command. The security considerations section notes that new bugs could
> potentially be introduced, and that quality assurance testing will be used to
> mitigate that possibility.
>
> Restrictions or setting limits typically helps to prevent security problems
> such as buffer overruns, so the extension could be helpful from a security
> persective preventing DoS attacks or other exploits of the server or server
> resources.
>
> If the team would like to add something to that effect into the security
> considerations, it is reasonable.

Ok, we will add.

Best Regards,

Alexey