Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12

Tero Kivinen <kivinen@iki.fi> Tue, 08 January 2019 14:49 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CFD1124C04; Tue, 8 Jan 2019 06:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lquTl9uVbM2T; Tue, 8 Jan 2019 06:49:17 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 578BE124BF6; Tue, 8 Jan 2019 06:49:17 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x08En3Sc005729 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 8 Jan 2019 16:49:03 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x08En2Gh009000; Tue, 8 Jan 2019 16:49:02 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23604.47198.503637.521152@fireball.acr.fi>
Date: Tue, 8 Jan 2019 16:49:02 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Neil Jenkins" <neilj@fastmailteam.com>
Cc: "Barry Leiba" <barryleiba@computer.org>, "Benjamin Kaduk" <kaduk@mit.edu>, "IETF JMAP Mailing List" <jmap@ietf.org>, "Kurt Andersen \(IETF\)" <kurta+ietf@drkurt.com>, draft-ietf-jmap-core.all@ietf.org, iesg <iesg@ietf.org>, secdir@ietf.org
In-Reply-To: <fd7ea4a3-ac5b-40be-9323-250d44778e78@beta.fastmail.com>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <CABuGu1oM4qBcMNxh=rnWCSD-tVJYcNmDaL+orwBqq=OAvKWOZg@mail.gmail.com> <20190105185050.GB28515@kduck.kaduk.org> <CALaySJKezOW02CUfUnCSTUfC4CTcrmLnFu-Ttwd4U3Cn7Txt-A@mail.gmail.com> <23603.21152.388621.403480@fireball.acr.fi> <fd7ea4a3-ac5b-40be-9323-250d44778e78@beta.fastmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 59 min
X-Total-Time: 15 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/c-EO0Wew9QcBrxCfsZX8JgxvLJU>
Subject: Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 14:49:19 -0000

Neil Jenkins writes:
> Err, not sure what you're talking about here. Most email systems
> already support sharing on a per-folder (or mailbox as they're
> called in IMAP and JMAP) granularity.

I have no idea how to do that for example in gmail. The imap server I
am running does not list support for 4314, and as I have never needed
such feature I have never checked if or how it can be done.

On the other hand I did not see any support for that in ipad or
android mail software either (or it might be well hidden in those
things, they are not very easy to use). 

> That's why JMAP and IMAP can return you a "myRights" object with
> your permissions for each mailbox. Calendars are identical; you
> generally share on a per-calendar basis (which acts the same as a
> mailbox for mail; a collection of individual data items).

Calendars usually have separate per item flag that tells whether event
is private, i.e., it is not only per calendar or per mailbox level.

Anyways, I have seen several cases where people share their personal
calendars, I have not seen cases where people share their personal
mailboxes. There cases where family members know other members
passwords, and can login if needed. Also group mailboxes, or reading
mail from multiple accounts in same mail software is very common,
sharing private mail boxes not so.

I.e., is it really common that:

      ... another user is sharing their mail with the logged in
      user,...

when not talking about group (support etc) or role (secretary) based
mail boxes?

If so, I am happy that I live in places where people do value
privacy, and I have not seen such things done... 
-- 
kivinen@iki.fi