[secdir] secdir review of draft-ietf-appsawg-malformed-mail-09

"Scott G. Kelly" <scott@hyperthought.com> Tue, 29 October 2013 02:38 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 15A4421E80D2 for <secdir@ietfa.amsl.com>; Mon, 28 Oct 2013 19:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5gLTdn99PUVt for <secdir@ietfa.amsl.com>; Mon, 28 Oct 2013 19:38:05 -0700 (PDT)
Received: from smtp98.iad3a.emailsrvr.com (smtp98.iad3a.emailsrvr.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1C88B21E80AC for <secdir@ietf.org>; Mon, 28 Oct 2013 19:36:41 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by smtp5.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 780CDA80FF; Mon, 28 Oct 2013 22:36:24 -0400 (EDT)
X-Virus-Scanned: OK
Received: from app8.wa-webapps.iad3a (relay.iad3a.rsapps.net []) by smtp5.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 5F8F3A80C3; Mon, 28 Oct 2013 22:36:24 -0400 (EDT)
Received: from hyperthought.com (localhost.localdomain []) by app8.wa-webapps.iad3a (Postfix) with ESMTP id 4F23D280042; Mon, 28 Oct 2013 22:36:24 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Mon, 28 Oct 2013 19:36:24 -0700 (PDT)
Date: Mon, 28 Oct 2013 19:36:24 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: draft-ietf-appsawg-malformed-mail.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1383014184.320726214@apps.rackspace.com>
X-Mailer: webmail7.0
Subject: [secdir] secdir review of draft-ietf-appsawg-malformed-mail-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 02:38:15 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

From the abstract and introduction, this informational document includes a collection of the best advice available regarding a variety of common malformed mail situations, to be used as implementation guidance. Much (most?) of the guidance is aimed at improving security, and the security considerations section says this.

I have not carefully reviewed every section of the document. If it has not yet been reviewed by someone from the security area with expertise in this area, it may be worth sanity checking. Based on my quick read, I saw no obvious issues.