[secdir] Secdir review of draft-sparks-genarea-mailarch-improvements-02

Charlie Kaufman <charliekaufman@outlook.com> Thu, 04 February 2016 19:28 UTC

Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5361ACE10; Thu, 4 Feb 2016 11:28:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3JcL8GWoR9N; Thu, 4 Feb 2016 11:28:46 -0800 (PST)
Received: from SNT004-OMC2S44.hotmail.com (snt004-omc2s44.hotmail.com [65.54.61.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E10AC1ACE0F; Thu, 4 Feb 2016 11:28:45 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com ([65.55.90.71]) by SNT004-OMC2S44.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 4 Feb 2016 11:28:45 -0800
Received: from CY1PR17MB0425.namprd17.prod.outlook.com (10.163.253.19) by CY1PR17MB0426.namprd17.prod.outlook.com (10.163.253.20) with Microsoft SMTP Server (TLS) id 15.1.403.16; Thu, 4 Feb 2016 19:28:44 +0000
Received: from CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) by CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) with mapi id 15.01.0403.016; Thu, 4 Feb 2016 19:28:44 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: 'secdir' <secdir@ietf.org>
Thread-Topic: Secdir review of draft-sparks-genarea-mailarch-improvements-02
Thread-Index: AdFff96UBzjShINKQ2CQr5eZwcbQYQ==
Date: Thu, 4 Feb 2016 19:28:43 +0000
Message-ID: <CY1PR17MB04250B4DC67358D55E341DABDFD10@CY1PR17MB0425.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=outlook.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [AVAUxX9bnlpbMKdxu99J12BtLn80oF6B]
x-microsoft-exchange-diagnostics: 1; CY1PR17MB0426; 5:0O/xwS4K6sG7NmHFXUm8/hCv/l0Clt8yCzIVyeSV+Kx6yUh1ANNgdQ9FuqD8DWqMT7iuACEPl5v1pcsoaAliCfmj0IeMu7zT4WT6ypnxDyci0BVq0drxPgoAMJ7SXoEUP2Sz3XUHlwgtWxQuVUPycg==; 24:ioH33W5PYaPhEMrfJBKpqvP5G1DcdTOsLjWrOWi7YQ/r2p9NwegaW3WAM/UcHJxdISsxgAN5cPqQg3ZPpKRylzCs2Tvj+qyFdFz1KN/G+bw=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR17MB0426;
x-ms-office365-filtering-correlation-id: fc44313e-2d9a-4aed-bbc1-08d32d99653b
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:CY1PR17MB0426; BCL:0; PCL:0; RULEID:; SRVR:CY1PR17MB0426;
x-forefront-prvs: 084285FC5C
x-forefront-antispam-report: SFV:NSPM; SFS:(7070004)(6009001)(33656002)(87572001)(54356999)(229853001)(15975445007)(77096005)(76576001)(50986999)(11100500001)(2900100001)(99286002)(5003600100002)(230783001)(110136002)(3660700001)(189998001)(5008740100001)(3280700002)(19300405004)(10400500002)(586003)(87936001)(92566002)(16236675004)(19580395003)(102836003)(19625215002)(40100003)(74316001)(86362001)(5002640100001)(790700001)(122556002)(4326007)(1220700001); DIR:OUT; SFP:1901; SCL:1; SRVR:CY1PR17MB0426; H:CY1PR17MB0425.namprd17.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR17MB04250B4DC67358D55E341DABDFD10CY1PR17MB0425namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2016 19:28:43.9312 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR17MB0426
X-OriginalArrivalTime: 04 Feb 2016 19:28:45.0537 (UTC) FILETIME=[439F8510:01D15F82]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/XVXgLMmqgGJGlyS5WFLbl226FvE>
Cc: 'The IESG' <iesg@ietf.org>, "draft-sparks-genarea-mailarch-improvements.all@tools.ietf.org" <draft-sparks-genarea-mailarch-improvements.all@tools.ietf.org>
Subject: [secdir] Secdir review of draft-sparks-genarea-mailarch-improvements-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 19:28:48 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


This is an unusual RFC candidate - even as informational - in that it is effectively a wish list for improvements to the IETF's "mailarch" tool for searching email archives. It's not quite a requirements document, but rather seems to describe a well developed design, as indicated by stating that the new version should work without requiring JavaScript on the client, but that in that mode would give up certain enumerated features.

Since all of the archives are public, and the search engine should only have the right to read them, the only significant security considerations are with respect to denial of service. That issue is briefly raised in RFC 6778, which this document references.

                --Charlie