[secdir] draft-ietf-appsawg-mdn-3798bis-15 SECDIR Review
Donald Eastlake <d3e3e3@gmail.com> Thu, 01 December 2016 02:03 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DEF129BAC; Wed, 30 Nov 2016 18:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sW0oIwKsQ9N; Wed, 30 Nov 2016 18:03:11 -0800 (PST)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD38D129B10; Wed, 30 Nov 2016 18:03:11 -0800 (PST)
Received: by mail-io0-x235.google.com with SMTP id m5so250748093ioe.3; Wed, 30 Nov 2016 18:03:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=GbCbKFRhnMOEDZgYRFD2ngF/tMlpdSx15gHwpRVHPRg=; b=QlVKltcMvwxjJ85eWB/lEagKa+fXVF0RoSnBNMecE3jSTI7tYrgeG4DHtvyCJIxGxK hAK0mAKKILJpD9E+VK7YwHvou0xEjSCkgaPMb47vHUr77Mv9C8BAWQ2KdsT52b+qXKuW X/vGYgwAIKcpcsKuiaO2DCmIRxNSSqdqJq6ddvaV+VMsLOcU8k7qXQtPetrbMeZ0ZOeC id7iy/2QSz3CKddKyILrjTfw6p9Xar5GyVNlN30wqynTDoPaKUIGsA93h/V1pm9GjgwS 17/joOvPd+GoRalufBOXL60CYtPRDIYF0L1oLeUdQ6p+Fy0PKJ49YzuXKX5onJ4LrwOT aNWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=GbCbKFRhnMOEDZgYRFD2ngF/tMlpdSx15gHwpRVHPRg=; b=BVjNWsjHle1P3yp+oP8JhaNei9r6CEbSJnhNIBOat2mbUmGDvMR+WLRKA2tFdoK18i sIrkxnkK7lmxCsJY4D2cRXsxP1lwQhz85FEzm6Fq3WtORnHkdiGJML/DM4JWP0kYQpbL vHzg67wKANQJrFd3+HXlVMsAOgmFMJ6dt9YKO7o4NZ2TYc8wbYouxKa7zQSLUiBt8SuY NnlHAFmvW9tcbOeuuoVG91+iGASccaRbuyMGoQc/e8QCyoDcJSIYHOoc5IU02K20sTd9 8qeN0yi94sRqC/KiWlZDLFMkCnAKJNN6Q78QV2XpBha7pEhbTKLzm3JT+TVQ1Mbd7YUX PYdQ==
X-Gm-Message-State: AKaTC02uCP4G2iUnMM/MfBGMyOKP5+S+P7qZ2aG3W/CdEYs6f94hg+fr2V7OcpCq6oWqomvT/YW2RGZZ9c0gvQ==
X-Received: by 10.107.34.207 with SMTP id i198mr28527224ioi.16.1480557791014; Wed, 30 Nov 2016 18:03:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.33.6 with HTTP; Wed, 30 Nov 2016 18:02:55 -0800 (PST)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 30 Nov 2016 21:02:55 -0500
Message-ID: <CAF4+nEFWxrFxNssUQTUZYLAwvNVAJw4+UDAqF8PZZ1yNL5U+2Q@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-appsawg-mdn-3798bis.all@ietf.org
Content-Type: multipart/alternative; boundary="001a11403e24340c5205428f3989"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dsxoZc_bnoAwjOQdvyZ0tYR3r4w>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 02:03:14 -0000
My apologies for getting this in late. I have reviewed this document as
part of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG. Document editors and WG chairs
should treat these comments just like any other last call comments.
This draft appears to be ready for publication with some nits..
This draft polishes and advances to Internet Standard level RFC 3798 on
Message Disposition Notifications.
*Security Considerations:*
The Security Considerations seem good except for one minor point: in my
opinion the option to return all or a portion of the original message
significantly increases the possible risk of use MDNs as a traffic
multiplier. I believe this should be mentioned in Section 6.4.
*Miscellaneous:*
The style of this draft is to say that you MUST do this and MUST NOT do
that without indicating what action should be taken if this is violated.
This is like saying a protocol field "MUST be zero" without adding the
usual "and is ignored on receipt". For example, in Section 3 it says that a
message disposition notification MUST NOT itself request an MDN. I believe
it should go on and add the few words to say: "If one does, this is
ignored." (unless that's wrong...) I'm not saying this must always be done
but there may be 1 or 2 other cases like this in the draft where such
wording should be added.
*Wording:*
In Section 3, the wording of the last sentence of point d seems just a bit
obscure. It says
However, in the case of encrypted messages requesting MDNs,
encrypted message text MUST be returned, if it is returned at
all, only in its original encrypted form.
I think it would be a just bit clearer as
However, in the case of encrypted messages requesting MDNs, if
the original message or a portion thereof is returned, it MUST
be in its original encrypted form.
*Trivia:*
I do wonder if the references to X.400 mail are necessary. They seem
archaic. Does anyone run X.400 email any more? It is just used as an
example, along with proprietary mail systems. I think such proprietary
systems still exist, but X.400 mail? I'm not so sure. If it is going to be
retained, maybe there should be an Informational reference for it.
Thanks,
Donald
===============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e3e3@gmail.com
- [secdir] draft-ietf-appsawg-mdn-3798bis-15 SECDIR… Donald Eastlake
- Re: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SE… Alexey Melnikov
- Re: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SE… Donald Eastlake
- Re: [secdir] draft-ietf-appsawg-mdn-3798bis-15 SE… HANSEN, TONY L