[secdir] SecDir Review of draft-ietf-extra-imap-replace-01
Catherine A Meadows <catherine.meadows@nrl.navy.mil> Thu, 04 October 2018 15:15 UTC
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4C6130DFB; Thu, 4 Oct 2018 08:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idYefu7GageJ; Thu, 4 Oct 2018 08:15:55 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF67130E48; Thu, 4 Oct 2018 08:15:49 -0700 (PDT)
Received: from [10.0.3.109] (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id w94FFjMd024319; Thu, 4 Oct 2018 11:15:46 -0400
User-Agent: Microsoft-MacOutlook/10.10.2.180910
Date: Thu, 04 Oct 2018 11:15:45 -0400
From: Catherine A Meadows <catherine.meadows@nrl.navy.mil>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-extra-imap-replace.all@ietf.org
Message-ID: <9CBC0CD9-DAD9-489F-94A0-56CCE2843B92@nrl.navy.mil>
Thread-Topic: SecDir Review of draft-ietf-extra-imap-replace-01
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3621496546_1070543994"
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Xin2lBVcykdeYtGrvVrw4CWvkWA>
Subject: [secdir] SecDir Review of draft-ietf-extra-imap-replace-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 15:16:00 -0000
Reviewer: Catherine Meadows Review Result: Ready With Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines an extension to IMAP that allows a REPLACE command and extends the UID command to UID REPLACE. Previously, replaces were done by using three commands in sequence: APPEND, STORE, and EXPUNGE. This was non-atomic, however, and failure of one of the commands could leave messages in intermediate states that could be seen and acted on by clients. The Security Considerations section reads: This document is believed to add no security problems beyond those that may already exist with the base IMAP specification. I would actually go further than that: the REPLACE command may actually prevent some potential security problems because it prevents some atomicity failures that could possibly be exploited by an attacker. If this is an appropriate for the Security Considerations Section I would urge the authors to include a statement to that effect after the sentence that says the document adds no security problems. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Avenue Washington DC, 20375 phone: 202-767-3490
- [secdir] SecDir Review of draft-ietf-extra-imap-r… Catherine A Meadows