Re: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

Stephen Kent <kent@bbn.com> Thu, 04 March 2010 01:59 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 677AD28C2BE; Wed, 3 Mar 2010 17:59:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEesQgeHnQjf; Wed, 3 Mar 2010 17:59:01 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 4373F3A89EF; Wed, 3 Mar 2010 17:58:58 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[169.223.34.205]) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Nn0L4-00041k-JP; Wed, 03 Mar 2010 20:58:59 -0500
Mime-Version: 1.0
Message-Id: <p06240804c7b4bcb4b668@[169.223.34.205]>
In-Reply-To: <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
References: <4B8E515A.6060608@isode.com> <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
Date: Wed, 3 Mar 2010 20:55:44 -0500
To: S Moonesamy <sm+ietf@elandsys.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-944454558==_ma============"
Cc: yam@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 01:59:02 -0000

At 11:14 AM -0800 3/3/10, S Moonesamy wrote:
>...
>This part of the effort is to move 8BITMIME to Full Standard.  This 
>document does not change the 8BITMIME specification as defined in 
>RFC 1652.  There was a pre-evaluation and a Sec-dir review prior to 
>this document ( 
>http://www.ietf.org/mail-archive/web/secdir/current/msg01064.html ). 
>It would have been helpful if the YAM WG got a review of RFC 1652 at 
>that time but that did not happen probably due to miscommunication 
>about the process.  Please note that there hasn't been any reports 
>of security issues with this 16 year old specification.

OK

>>The security considerations section consists of only one sentence: 
>>"This RFC does not discuss security issues and is not believed to 
>>raise any security issues not already endemic in electronic mail 
>>and present in fully conforming implementations of [RFC5321]." RFC 
>>5321 (the updated SMTP spec) has an extensive security 
>>considerations section, so this is a reasonable reference. I could 
>>imagine security issues that might be associated with this document 
>>vs. 5321, since the security section of the latter document does 
>>not address any security concerns related to transfer of 8-bit 
>>data. For example, the handshake used to determine whether an SMTP 
>>sever support receipt/relay of 8-bit data might be used to target 
>>servers based on the lack of such support. One might even cite the 
>>use of this transport capability as facilitating malware 
>>transmission in e-mail attachments
>
>I don't understand your concern in regards to the 8-bit data 
>transfer.  If you mean that support for this SMTP extension could be 
>used to identify SMTP servers which do not support it, that is 
>correct.  There is some text about 8-bit message content 
>transmission in Section 2.4 of RFC 5321.

First, this is a minor issue, so we ought not devote to much time to 
it. I mentioned it because the tone of the security considerations 
sentence is somewhat dismissive, suggesting that the authors did not 
want to bother with this section :-). Nonetheless, it would be 
preferable  to explicitly note this side-effect of security 
considerations section, since it is not called out in the 5321 
security considerations and the text in 2.4 does not have a secruity 
focus.

>This transport capability does not facilitate malware transmission 
>as email attachments can still be sent even if the SMTP client or 
>server does not support the 8BITMIME extension.  It is only a matter 
>of using MIME for the 5322 message.

Presumably you mean to say that binary attachments that are ideal for 
delivering malware are supported irrespective of the use of this 
feature, right?  If so, that then that might also be a suitable 
comment to make in the SC section.

Steve