Re: [secdir] Secdir last call review of draft-ietf-jmap-sieve-19
Ken Murchison <murch@fastmail.com> Mon, 18 March 2024 11:13 UTC
Return-Path: <murch@fastmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71CF5C14F69E; Mon, 18 Mar 2024 04:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="jLR0VsYB"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="jmRP25eD"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIghPXCWxOqm; Mon, 18 Mar 2024 04:13:46 -0700 (PDT)
Received: from fout3-smtp.messagingengine.com (fout3-smtp.messagingengine.com [103.168.172.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F39EFC180B52; Mon, 18 Mar 2024 04:12:48 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.nyi.internal (Postfix) with ESMTP id DD92B138011B; Mon, 18 Mar 2024 07:12:47 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 18 Mar 2024 07:12:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1710760367; x=1710846767; bh=5u/Re7tJMm S0lXSJx69CanmpDvVpgR5+NsFbk9bZgvk=; b=jLR0VsYBy2RzRSX5O+fd1JOTnp rgN2C10pLZDXe2Jy1Sx8APbZb9LDUMxumKbytqYXWdhlVBUDRqzh0hnBVZDf/82P K8n/6dHoqpyV3YobKMYE2wiKoYNAFGJei66iYpB5rWgVoU7WhNtH7LBw0fKlkY6c OpWSk7geNDTrkhQBTrGRAJItzYXmOrhrmqRdvYl6i2dW3DVDubke+nKarQ5RGGXZ +I4V6fmDpmUoj7ZfM+ksTwWcGRhH0vXX2Ur9ZAz17FljF2jTU5pcV50NeD1wvnQc akmIL5huKOa/7tknXWFiOLfvzHynMPPi/51hzGZmcL6sX63s9QbYlZBv0bIg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1710760367; x=1710846767; bh=5u/Re7tJMmS0lXSJx69CanmpDvVp gR5+NsFbk9bZgvk=; b=jmRP25eDoOBf5zKeqhNxkcYWpu4yRZ7ZGhZp2ucHt5Ol jOUkIoUu5ApL70iK96TB5qgQZPjuSa8ae00rOuT3fB/HEqkGSJ3+EK4F49L13JoH xhWI/jMoQGxtrNZlfiSjMPTCbVOf8MwEeoLBEMYiYxwEfs5oW4OzrweF6gEAX9EV GRQw8xCM/eSkugPomP+0oGpVyZATLMg4E4MF6Mmd1FWfn+ZuS4CD/8EkkwcRDGJg VQU34loQn759TEoJ1kBIe/DQ7nETP8mekc/41K+eDB0arRM0IglMfrXFBJSkmhdL Q14VdumlQpHQhTvy/oSskQJUsCMkPT1XCGZQNBMY6A==
X-ME-Sender: <xms:ryH4ZeM8GoOA2rM12YvyzWxfb82HkuDKQguO17I2bUFuXeeEaXjtQA> <xme:ryH4Zc_6Gah9_u8b6VCWuGwCLUNOsU6b2G5fFS4y_TRvya0pqwfcapIg_dI6YJXCT dTF0rK1SSjlTA>
X-ME-Received: <xmr:ryH4ZVQcmprfWh3DbFzd4OMVYtIfG9ti0NhSKxE1LtyfVyaRA7vleu8RXkOybGSKylzsak_zP5JMbR93o_IvFhKu0E73TH0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgddvhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtkfffgggfuffvvehfhfhojgesrgdtreertddvjeenucfhrhhomhepmfgvnhcu ofhurhgthhhishhonhcuoehmuhhrtghhsehfrghsthhmrghilhdrtghomheqnecuggftrf grthhtvghrnhepgeefhfeiueevieethedvfeekfeeukedtfefhffeghfejkedtheelhefh ieetvdefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhurhgthhesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:ryH4ZevzZIMhQHDC2FXFbNCI3hwoUuNbpmzL_2Fh3dWPjbrz1LvI6Q> <xmx:ryH4ZWfBCIg4L3lP1COX6WaNqcEonD7gLZrIcChLhPBG-Jnq3v2X7w> <xmx:ryH4ZS1_V-fab7xP4TU6QS5otXLdThsEvVQ3SXYFzLi8XwZSZtFOTw> <xmx:ryH4Za8lndJYulk9DGTWPToT-8-MYWmTJDpxULV_7TFh672QN-ApXw> <xmx:ryH4ZTERgel41dLeZhOo8s_Esmievf1gYUX0bIS5m11YAI2HpZ3A3A>
Feedback-ID: ibf914243:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Mar 2024 07:12:45 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------zcddDtyP4ZpeQj8vP6KkQF0P"
Message-ID: <58550b90-24c5-4103-a792-9d431e26bc3a@fastmail.com>
Date: Mon, 18 Mar 2024 07:12:43 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Mohit Sethi <mohit@iki.fi>, secdir@ietf.org
Cc: draft-ietf-jmap-sieve.all@ietf.org, jmap@ietf.org, last-call@ietf.org
References: <171074230051.11621.14080582299477917640@ietfa.amsl.com>
From: Ken Murchison <murch@fastmail.com>
Organization: FastMail US LLC
In-Reply-To: <171074230051.11621.14080582299477917640@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/eR-16vjNyxd6fCotynK_bqnntgo>
Subject: Re: [secdir] Secdir last call review of draft-ietf-jmap-sieve-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 11:13:51 -0000
Hi Mohit, Thank you for the review. Responses below. On 3/18/24 2:11 AM, Mohit Sethi via Datatracker wrote: > Reviewer: Mohit Sethi > Review result: Ready > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These comments > were written primarily for the benefit of the security area directors. Document > editors and WG chairs should treat these comments just like any other last-call > comments. > > This document defines an API for managing Sieve scripts on a server using the > JSON Meta Application Protocol (JMAP). Sieve scripts are used for filtering > email messages. It defines the following * A new JMAP data type called > "SieveScript" * Reserves a new URI urn:ietf:params:jmap:sieve for referring to > sieve script capability supported on the JMAP server * Two new JMAP error > codes: invalidSieve and sieveIsActive > > The document seems ready. It was easy to read and understand. The security > considerations section simply points to security considerations of RFC 8620 and > RFC 5228. > > One thing that I wondered while reading is how the integrity of the script blob > is ensured? How does the receiver verify the integrity of the binary script > content received? I guess JMAP is always expected to use TLS as the underlying > communication protocol and hence there is integrity during transit. I wonder if > there are any other means? I briefly read RFC 8620. It seems the blobId is > somehow derived from the blob content because of the following text: "If > identical binary content to an existing blob in the account is uploaded, the > existing blobId MAY be returned." But it is never explained how the blobId is > generated in the first place. It seems to be some sort of a hash which can > provide some way of integrity checking of binary data. Anyhow, there is nothing > to be fixed in this draft. Maybe something to consider for the original JMAP > RFC 8620. Its possible that client and servers you do integrity checking per RFC 9530, but as you suggest, that it something that some be addresses in the JMAP core spec. > One tiny nit: > > Link in the the following text appears to be broken: "Script content must first > be uploaded as per Section 2.2". The xml source looks correct "Script content > must first be uploaded as per <xref target="content"/>" but the link takes to > me to the top of the page instead of section 2.2. I'm guessing that this is an issue with the tooling that we can fix during AUTH48. -- Kenneth Murchison Senior Software Developer Fastmail US LLC
- [secdir] Secdir last call review of draft-ietf-jm… Mohit Sethi via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Ken Murchison
- Re: [secdir] Secdir last call review of draft-iet… Bron Gondwana
- Re: [secdir] Secdir last call review of draft-iet… Mohit Sethi