IETF Logo Mail Archive

Re: [secdir] [Jmap] Secdir last call review of draft-ietf-jmap-core-12

"Neil Jenkins" <neilj@fastmailteam.com> Tue, 08 January 2019 03:42 UTC

Return-Path: <neilj@fastmailteam.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E961310A6; Mon, 7 Jan 2019 19:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HEADER_CTYPE_ONLY=0.717, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=wHowMhW3; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=gWB6JYDA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15JuApIsRbet; Mon, 7 Jan 2019 19:42:33 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D66D1310A9; Mon, 7 Jan 2019 19:42:33 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 9EEDF24667; Mon, 7 Jan 2019 22:42:32 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute6.internal (MEProxy); Mon, 07 Jan 2019 22:42:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=message-id:in-reply-to:references:date:from :to:cc:subject:content-type; s=fm1; bh=KGqT6qxaz7JMUM/+QKSHddOJ1 jCloi2BdoFe/V+stV8=; b=wHowMhW34C2izZ+tqkylnZDFCcsx1jLS9dYSeiwea ZN8IVv06iV8mwie0pI6Hqy9KLadcigw5x0kKwxt3aQGZMgEUsG5yCviZDghY4LQq E/8wgxAEWA8sGKQgGZFI7bWdtNQcLg0ZaqzZMCWowOnd2ZYRY4Z1mbnaSIaxjIvw e7Edw+T2vWrG7Y4na93tbSZ5tfEtm30MWFxrsL0ba0kI2Iv22heCgTomq23Gffdd YoxuYGHlj52NX8G6/c2+j7rqMwscQ8UQpzYm0NOgRt3eenQJ+C/+p9QN1UpwfHna OBFPKjm1TAflM9hBZ1DmMkNBr8VcPFEZGMr9LUXRumZiQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:references:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=KGqT6qxaz7JMUM/+Q KSHddOJ1jCloi2BdoFe/V+stV8=; b=gWB6JYDA53hw1FZbvMpjaKRupjHoE/tXU KhGb43NYsOWF4HDf/DQEeuCac+2SaI8alZ7WzyRRx93bzsGZeyozoj47Qup0wIID NmpgGg8YfQqkijhsV77M//8WONYWhEJFtYArOZbBDNB5l25UCFwESZ+OPjpqD0o7 BIA+TXlTKokKQ8TwAs5amVQzbr0pvlkRl3xxVzGboNKTi8SHsr/8z7Eaq0r7KT4S yvKkbHClz9YLzxFUrtTn6nwyKPv7JQHusvWgo80fLTXKmMn3Y4xDn8VkpzoIKd6a FRYXwZTbNFNCIc5i/Yly3/IlfUKYRzNNYQFhtQUlSyAspLpFMhgWQ==
X-ME-Sender: <xms:Jxw0XEDFPLyRmpnkyc4YV20GInYKdzvCAIDzj93zYOtW_IdruBgHQg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrvdekgdeiheculddtuddrgedtkedrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedfpfgvihhl ucflvghnkhhinhhsfdcuoehnvghilhhjsehfrghsthhmrghilhhtvggrmhdrtghomheqne curfgrrhgrmhepmhgrihhlfhhrohhmpehnvghilhhjsehfrghsthhmrghilhhtvggrmhdr tghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:Jxw0XGtyYEoiIVQee8kM1x1NuGaFIEEpT9YLov_qyjZ-lFfJqY24FA> <xmx:Jxw0XJYiW760fHwHFgAosDXFLHux-7Q_XO-IMuQgghMXboN52nWyTA> <xmx:Jxw0XJX77s11uKXLz4NRUyBgBRMIRez3n6u6mA-Zj1C6EPL2NR0QFw> <xmx:KBw0XN0vGfjCiWlUzC_UZlK3kuOsmBYfRpswvQM3LYO2Agenfs5fyQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 93B5F203BE; Mon, 7 Jan 2019 22:42:31 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-739-g7452a1e-fmstable-20190103v1
X-Me-Personality: 64588216
Message-Id: <77c37c56-a40a-4a52-95a0-553e63dc6a08@beta.fastmail.com>
In-Reply-To: <01R1M7QIBP9I00004R@mauve.mrochek.com>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com> <01R1M7QIBP9I00004R@mauve.mrochek.com>
Date: Mon, 07 Jan 2019 22:42:31 -0500
From: Neil Jenkins <neilj@fastmailteam.com>
To: "Kurt Andersen (IETF)" <kurta+ietf@drkurt.com>, Ned Freed <ned.freed@mrochek.com>
Cc: Tero Kivinen <kivinen@iki.fi>, IETF JMAP Mailing List <jmap@ietf.org>, draft-ietf-jmap-core.all@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="20b0ab2b3c2e4a4f907bd6c328212b8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RV38biQK3t0QTwftR3VTm9pxQJI>
Subject: Re: [secdir] [Jmap] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 03:42:35 -0000

On Sat, 5 Jan 2019, at 9:10 AM, Ned Freed wrote:
> I'll first note that although the JMAP specification refers to the IMAP ACL
> security model extensively, RFC 4314 is not in the references list. That needs
> to be fixed,

Agreed, I have now added a reference to this.

>  and a note in the security considerations section saying that the
> security considerations for IMAP ACLs apply to JMAP would also be good.

I've read through the security considerations section here and I don't actually think any of them apply to JMAP; bear in mind the current spec does not have any way to set ACLs, it just exposes the user's current rights. (Setting ACLs is left to a future extension.)

---

I have added the following section to the JMAP Core security considerations:

*8.8 Push traffic analysis*

While the data is encrypted, a passive observer with the ability to monitor network traffic may be able to glean information from the timing of push notifications. For example, suppose an email or calendar invitation is sent from User A (hosted on Server X) to User B (hosted on Server Y). If Server X hosts data for many users, a passive observer can see that the two servers connected but does not know who the data was for. However, if a push notification is immediately sent to User B and the attacker can observe this as well, they may reasonably conclude that someone on Server X is connecting to User B.

This can be partially mitigated by the JMAP server applying some random jitter before sending out push notifications, however the jitter would have to be small so as not to affect quality of service. This is also mitigated inately on large services with high traffic flows hosting data for many users, as it becomes much harder for an attacker to correlate incoming data events with outgoing push notifications, allowing users to “hide in the crowd”.

---

I await the conclusion on whether we should add a confirmation step to push notifications, but other than that I don't believe there are any outstanding issues to address from this review. Please let me know if I've missed something.

Neil.

v2.23.0 | Report a Bug | By Email