Re: [secdir] Secdir review of draft-ietf-jmap-mail-14

"Neil Jenkins" <neilj@fastmailteam.com> Tue, 19 February 2019 06:50 UTC

Return-Path: <neilj@fastmailteam.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624A2130E82; Mon, 18 Feb 2019 22:50:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.982
X-Spam-Level:
X-Spam-Status: No, score=-1.982 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HEADER_CTYPE_ONLY=0.717, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=dTQ9A/sZ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GAgggdKV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QNWFhezgLeV; Mon, 18 Feb 2019 22:50:51 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9D8D130E7E; Mon, 18 Feb 2019 22:50:50 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 6D66523185; Tue, 19 Feb 2019 01:50:49 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute6.internal (MEProxy); Tue, 19 Feb 2019 01:50:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=message-id:in-reply-to:references:date:from :to:subject:content-type; s=fm2; bh=gYGohA0MR91crbbgF5qlLsxhs38o D7FcMUUwnY/I9mA=; b=dTQ9A/sZUk/9iTocffHtrvbb+8MC+eTziVYFSXdZxJlj f3KzRGrfjIJazzewRTN7ctfelweXLBpUk9b5Dzuqul9jhi6xm4+uSLrRI3V4osJH 2yKKOFuYKGwzYzyS/9TEWXfY8Ub4BUWoi/oNeFCIbSl913Q5ORN0SUS0bl/OQ43b UIAE8YEGV5W4F16baIM6R79ZEhLO6Iju/7J+rZVrwaJklLOEQFp3dAwH4Ip9os9A fC3ViGoxUe62iBypWSRf6HYPKcaODeiF7BWcSKELRdFubrf14q8kTnrjvSMOpPfY QNwdjBm2JQs6X5kGldI0ELND4jf/fvJCmw25231PKA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:references:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=gYGohA0MR91crbbgF 5qlLsxhs38oD7FcMUUwnY/I9mA=; b=GAgggdKVxaz8Xhg1VEBpMRpNfPf5he6H0 6ey1V5Kr/jhukXLMCaZbWGPF8CqlAs5U22CrTYUokW/FA/r6/qUrmYSfqNwhgIwn 639SpsLqboomBQhARukf2LssO8Lj5If8fnZM49rXeruQroZ9pPozC1mQgh65g7KC 4c+WQc+f3USeWtHNjZOodmIbeqZVx5DRERyzhi9oHpWAnIa2L29lIfnf0UEvaI96 WDLIZb0fNDSP+92YaFlmMvHOfts36PvHglY1F2PSju2xDLNNMWosuGSwg1TMnown MLccgX/Eba8fd3yi4P+8K9VqG4/F8nlj93xdRM9vDrglnsCc2QZnQ==
X-ME-Sender: <xms:SKdrXEWjvJbIY8fAScofAmBSwnRAdY-KrR5qAzUIxua_7q3P1ONHXQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrtdefgddvfeculddtuddrgedtledrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedfpfgvihhl ucflvghnkhhinhhsfdcuoehnvghilhhjsehfrghsthhmrghilhhtvggrmhdrtghomheqne cuffhomhgrihhnpehpohhsthhfihigrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhm pehnvghilhhjsehfrghsthhmrghilhhtvggrmhdrtghomhenucevlhhushhtvghrufhiii gvpedt
X-ME-Proxy: <xmx:SKdrXMFnX2lVsqqpyeI0GyLUln2z6nbj4a_RlkRn2jPFhG8fX0Fikw> <xmx:SKdrXA461F56wKU3fwkYzTEICK6smyl5OfGntAN2sQpj3RglMuG17A> <xmx:SKdrXGLoZ4P2rxTSN5boZoiOkxKStfROJHIXvC9Pm4V0zuFiX0db9Q> <xmx:SadrXMk25Y93ujqPquD-hr2NZQwX4HmLS38COHO5Fmmvf50yFzA1TA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 82FC92031F; Tue, 19 Feb 2019 01:50:48 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-895-g0d23ba6-fmstable-20190213v1
X-Me-Personality: 64588216
Message-Id: <8fbf4033-cf6b-407f-8d85-3b2d44ffc834@beta.fastmail.com>
In-Reply-To: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com>
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com>
Date: Tue, 19 Feb 2019 01:50:47 -0500
From: "Neil Jenkins" <neilj@fastmailteam.com>
To: secdir@ietf.org, draft-ietf-jmap-mail@ietf.org, =?UTF-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>
Content-Type: multipart/alternative; boundary=7259cc4cffff412e80742dcafdeefd14
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/X6tgAc11xjWKWaUUxJGqxGFEd4o>
Subject: Re: [secdir] Secdir review of draft-ietf-jmap-mail-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 06:50:53 -0000

On Tue, 19 Feb 2019, at 13:30, Magnus Nyström wrote:
>  * Section 9, the Security Considerations section, generally refers to draft-ietf-jmap-core for security considerations. I would agree with this. I wonder for a new protocol like this though, if TLS 1.3 should be required?

In response to Eric Rescorla's review, the draft has been updated to require a minimum of TLS 1.2 and recommend at least TLS 1.3 – I think this is reasonable given the current situation.

>  * Also, for draft-ietf-jmap-core, it would be nice if Basic Auth could be disallowed for a new protocol like this - trying to move away from passwords

Nice in theory, but in practice it's really up to the vendors, and will be used regardless of what you say in the spec.

>  * Editorial; Section 9.3: "Milter protocol" - I understand this is short-hand for "mail filter protocol," but perhaps this should be written out, maybe with some reference?

I've added an informative reference to http://www.postfix.org/MILTER_README.html.

>  *  I also could not find the term defined in draft-ietf-jmap-core.

This is a mail-specific thing, so not relevant to core.

>  * Also in 9.3, should "the Milter protocol" be "a Milter protocol"? Not sure.

No, it's referring to a specific de-facto protocol; I think this is more clear with the added reference.

Cheers,
Neil.