Re: [secdir] [Jmap] secdir review of draft-ietf-jmap-quotas
rcordier@linagora.com Tue, 31 January 2023 08:01 UTC
Return-Path: <rcordier@linagora.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D009AC14CEFE; Tue, 31 Jan 2023 00:01:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.694
X-Spam-Level:
X-Spam-Status: No, score=-6.694 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=linagora.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8zBXRoDU9rA; Tue, 31 Jan 2023 00:01:18 -0800 (PST)
Received: from smtp.linagora.com (smtp.linagora.com [54.36.8.78]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF39C14F749; Tue, 31 Jan 2023 00:01:17 -0800 (PST)
Received: from ?Open?PaaS?SMTP?server?for?Linagora? (unknown [51.83.109.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.linagora.com (Postfix) with ESMTPSA id 137983EE62; Tue, 31 Jan 2023 09:01:14 +0100 (CET)
DKIM-Signature: a=rsa-sha256; b=BbL9uOKZC63fn6J7Z1FtiQ3fARAAVZe0V6yoEFGrpER+cwwNKjD/vpe4aeNqvdHcL4cCVrLnQSoYWEXq3LFYzivE+ydmLHXVC3e3vE8o/Rk1KEe1+bsj9x0nxBs0usSvArkaYr/luyosmulsyIivZM3KjbysM4HkaCAjjvz3E0ix4yJY++nQFQ5QbNwhKrlhVDVuUUvBgBNGH29UUV8rUTDUJND2cglxalqqcB8qobbNzJiMXRLYcNiLSlaV3Tyard+bLoxjFdP8tLGXoDIEVjArPdOeqFLOwZFMJczydnkeVSX/kukAGpW1NduLBOcdp5/DB1hRhNEf5FhXa1awig==; s=smtpoutjames; d=linagora.com; v=1; bh=UiT9xPQhcvbQxzse8RuH1CSCTkbZc7ZkJPL8UezU/r8=; h=from : reply-to : subject : date : to : cc : resent-date : resent-from : resent-sender : resent-to : resent-cc : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive;
Date: Tue, 31 Jan 2023 08:01:14 +0000
Message-ID: <1397275281.66.1675152074667@212e230e4d2f>
MIME-Version: 1.0
X-LINAGORA-Copy-Delivery-Done: 1
From: rcordier@linagora.com
To: draft-ietf-jmap-quotas.all@ietf.org, jmap@ietf.org, last-call@ietf.org, secdir@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
Reply-To: rcordier@linagora.com
User-Agent: Team-Mail/0.5.2 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: multipart/alternative; boundary="-=Part.1f9.acc30ae47b96340f.18606d7e460.ed48265de0d2e8a9=-"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iowJCGMsHL_EWNohNDRdFBhOPuE>
Subject: Re: [secdir] [Jmap] secdir review of draft-ietf-jmap-quotas
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 08:01:22 -0000
Hello Wes, Thank you for reviewing it again and addressing new feedback on this draft. I will answer you inline as there is quite a bunch of comments. Changes that I fixed on the new released version 11 of the draft: - https://github.com/jmapio/jmap/pull/376/commits/7ebe04562ee591be4bcda77468bc45ab720631c7 - https://github.com/jmapio/jmap/pull/376/commits/4ff57bb602742c611b7d8e9cfab8ac5d16258ca5 Hope this will satisfy you, if not don't hesitate to give your feedback again! Best regards, Rene. On Jan 12, 2023 5:06 AM, from Wes Hardaker I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Review summary: almost ready with issues Apologies for my delay in getting to the new version of this document (between vacation and a bad cold, I got behind in tasks). Thank you for the work you put into the new version; I find it much better than the old and can see you took many suggestions (mine and others) into account. A few (mostly minor) thoughts on the new version: - If it were me, I'd break the quota attributes section into it's own (becoming a new 4.1) starting with "The quota object MUST...". +1. Fixed - 4.1: document at section 5.1 -> document in section 5.1 +1. Fixed - 4.3: any of which may be omitted -> any of which may be included or omitted +1. Fixed - 4.3: seems odd that the name attribute is the only one that isn't a list. Not odd, there could be two filter conditions with a different name each under an operator (OR, AND) for example. However, scopes and resourceTypes should not be lists... More explanation below with your next concern - 4.3: Larger issue wrt interoperability: My last note leads to the next: in the summary paragraph you state "A Quota object matches the FilterCondition if and only if all the given conditions match, including multiple array elements existing within a condition.", which I don't know how to interpret properly. You say that all conditions match (which I'm sure means if both a scope and a resourceType are specified they both MUST match). But the second part of the sentence leaves me confused about multiple array elements. This would leave me to think that if you specified multiple resourceTypes in a list, then every type must match which should never be true so I doubt this is what you mean. Maybe this is a good rewrite: A Quota object matches the FilterCondition if and only if all the given properties match (i.e. a logical and of all properties). For filter properties that are a list, at least one of the list elements must match for that property to be considered a match (i.e. a logical or of all the property's list element). But... I am trying to figure out what you mean, and my interpretation may be wrong! It wasn't logical indeed in that state. But rereading it again, and the jmap core spec, I actually think scopes and resourceTypes should not be lists, but single field. Scopes and resource types and well defined values by the server, and each quota can only have one. So if we need to fetch different accounts with different scopes and resource types, we can use different conditions and operators, they are here for that. dataTypes is still a list though, as a quota can have multiple values. So it makes sense to want to search for quota that have all the values indicated in the filter condition. Thus the sentence makes sense as well now and shouldn't need change. FYI I just realized when answering that I should drop the "s" from the scope(s) and resourceType(s) properties as they are not lists anymore. If you agree with that I will fix it and release it in a newer version (12). Just let me know if it would satisfy you first! - For the example in section 5.2, I'd suggest actually using data that followed the previous example in a time-sequence. Thus, if you changed the "sinceState" to "78540" to match the last value from the previous example, it would better show an example of commands over time. (IMHO) +1. Fixed - The security section is improved (thank you), but there are some wording issues within it that need work: - "so he shouldn't know" -- I think you mean other users here shouldn't know. So I'd change this to "so other users shouldn't know" or "no users should know". +1. Fixed - The last sentence is hard to read as is. I'd suggest the following replacement: In order to limit those attacks, quotas with "domain" or "global" scope SHOULD only be visible to server administrators and not to general users. +1. Fixed - I'm surprised you don't have an acknowledgment section, which customary to list all the people that help you put this specification together. It's common but not required of course. Actually I didn't know, as I didn't see any on other JMAP RFCs. But I looked again on other RFCs and I could see you were right... And I think it's a great idea. So I added one, thanks for the suggestion :) -- Wes Hardaker USC/ISI _______________________________________________ Jmap mailing list Jmap@ietf.org https://www.ietf.org/mailman/listinfo/jmap