Re: [secdir] secdir review of draft-sparks-genarea-imaparch

Robert Sparks <rjsparks@nostrum.com> Tue, 07 May 2013 19:07 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339D721F93F9; Tue, 7 May 2013 12:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbAdpH8YoTCA; Tue, 7 May 2013 12:07:12 -0700 (PDT)
Received: from shaman.nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by ietfa.amsl.com (Postfix) with ESMTP id A42C321F93EF; Tue, 7 May 2013 12:07:09 -0700 (PDT)
Received: from unnumerable.local (pool-173-57-99-236.dllstx.fios.verizon.net [173.57.99.236]) (authenticated bits=0) by shaman.nostrum.com (8.14.3/8.14.3) with ESMTP id r47J78ha015129 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK); Tue, 7 May 2013 14:07:09 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
Message-ID: <518950DC.8080507@nostrum.com>
Date: Tue, 07 May 2013 14:07:08 -0500
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Carl Wallace <carl@redhoundsoftware.com>
References: <CDABDE36.4013C%carl@redhoundsoftware.com>
In-Reply-To: <CDABDE36.4013C%carl@redhoundsoftware.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass (shaman.nostrum.com: 173.57.99.236 is authenticated by a trusted mechanism)
Cc: draft-sparks-genarea-imaparch.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sparks-genarea-imaparch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 19:07:21 -0000

Thanks Carl -

The details of how this authentication will be managed is probably 
diving a little deep
for the conversations this draft is hoping to inform. Pointing to 
integrating with the datatracker
should be enough, but if there is something _specific_ (in particular 
specific to IMAP) that we
want to constrain the design discussions with, let me know.

RjS

On 5/5/13 9:00 AM, Carl Wallace wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments
> just like any other last call comments.
>
> This draft describes the requirements for providing an IMAP interface for
> IETF mail archives.  The first item in the security considerations is
> correct, but in general the security considerations seem too narrowly
> focused on searching and storage.  Some discussion of the following may be
> worthwhile: how the server is authenticated to users, how users are
> authenticated to the server (unless the reference to the datatracker
> system is viewed as sufficient), details of the interface with the
> datatracker authentication system, (maybe) how archive integrity is
> maintained, identification of what should or should not be logged.
>
>