[secdir] secdir review of draft-ietf-eai-mailinglistbis-05

Charlie Kaufman <charliek@microsoft.com> Wed, 22 August 2012 20:46 UTC

Return-Path: <charliek@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 81F3D21F86D7; Wed, 22 Aug 2012 13:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.534
X-Spam-Level: *
X-Spam-Status: No, score=1.534 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id R+er5tIJMhjE; Wed, 22 Aug 2012 13:46:16 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe001.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3A33821F86BD; Wed, 22 Aug 2012 13:46:16 -0700 (PDT)
Received: from mail221-ch1-R.bigfish.com ( by CH1EHSOBE009.bigfish.com ( with Microsoft SMTP Server id; Wed, 22 Aug 2012 20:46:15 +0000
Received: from mail221-ch1 (localhost []) by mail221-ch1-R.bigfish.com (Postfix) with ESMTP id 490CF2C04B7; Wed, 22 Aug 2012 20:46:15 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: 2
X-BigFish: VS2(zzc85fhzz1202hzz8275bh8275dhz2fh2a8h683h839hd24hf0ah107ah9a9j)
Received-SPF: pass (mail221-ch1: domain of microsoft.com designates as permitted sender) client-ip=; envelope-from=charliek@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail221-ch1 (localhost.localdomain []) by mail221-ch1 (MessageSwitch) id 1345668372916895_21591; Wed, 22 Aug 2012 20:46:12 +0000 (UTC)
Received: from CH1EHSMHS029.bigfish.com (snatpool1.int.messaging.microsoft.com []) by mail221-ch1.bigfish.com (Postfix) with ESMTP id D18DA400083; Wed, 22 Aug 2012 20:46:12 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com ( by CH1EHSMHS029.bigfish.com ( with Microsoft SMTP Server (TLS) id; Wed, 22 Aug 2012 20:46:11 +0000
Received: from co1outboundpool.messaging.microsoft.com ( by mail.microsoft.com ( with Microsoft SMTP Server (TLS) id 14.2.309.3; Wed, 22 Aug 2012 20:46:03 +0000
Received: from mail135-co1-R.bigfish.com ( by CO1EHSOBE008.bigfish.com ( with Microsoft SMTP Server id; Wed, 22 Aug 2012 20:46:03 +0000
Received: from mail135-co1 (localhost []) by mail135-co1-R.bigfish.com (Postfix) with ESMTP id 215DE720082; Wed, 22 Aug 2012 20:46:03 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:FOP;SFS:;DIR:OUT;
Received: from mail135-co1 (localhost.localdomain []) by mail135-co1 (MessageSwitch) id 1345668360445016_460; Wed, 22 Aug 2012 20:46:00 +0000 (UTC)
Received: from CO1EHSMHS016.bigfish.com (unknown []) by mail135-co1.bigfish.com (Postfix) with ESMTP id 5FD98940043; Wed, 22 Aug 2012 20:46:00 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com ( by CO1EHSMHS016.bigfish.com ( with Microsoft SMTP Server (TLS) id; Wed, 22 Aug 2012 20:45:59 +0000
Received: from BL2PR03MB593.namprd03.prod.outlook.com ( by BL2PRD0310HT003.namprd03.prod.outlook.com ( with Microsoft SMTP Server (TLS) id; Wed, 22 Aug 2012 20:45:59 +0000
Received: from BL2PR03MB592.namprd03.prod.outlook.com ( by BL2PR03MB593.namprd03.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.485.6; Wed, 22 Aug 2012 20:45:57 +0000
Received: from BL2PR03MB592.namprd03.prod.outlook.com ([]) by BL2PR03MB592.namprd03.prod.outlook.com ([]) with mapi id 15.00.0485.006; Wed, 22 Aug 2012 20:45:57 +0000
From: Charlie Kaufman <charliek@microsoft.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-eai-mailinglistbis.all@tools.ietf.org" <draft-ietf-eai-mailinglistbis.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-eai-mailinglistbis-05
Thread-Index: Ac2AheMKwUzNei2US5OLmJ9bAk033w==
Date: Wed, 22 Aug 2012 20:45:57 +0000
Message-ID: <5d350cd00c1240f0a9ffeaf07f6bd469@BL2PR03MB592.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_5d350cd00c1240f0a9ffeaf07f6bd469BL2PR03MB592namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PR03MB593.namprd03.prod.outlook.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC106.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC106.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Subject: [secdir] secdir review of draft-ietf-eai-mailinglistbis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2012 20:46:17 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This Informational document describes "considerations" for the design and operations of mailing list expanders not collocated with the sender when non-ASCII email addresses are involved. It is truly informational in that it does not prescribe how to deal with the various problems that one might encounter. It simply enumerates the problems, describes the alternatives, and the range of behaviors observed in existing implementations. It suggests a number of areas where future standardization would be helpful.

The document lists no security considerations. An issue discussed in the document that could be considered a security issue is that mail recipients that cannot accept non-ASCII email addresses might or might not receive messages sent to the list (depending on approaches the forwarder takes), and generally the original sender is not notified. I don't recommend any changes.