[secdir] secdir review of draft-melnikov-mailserver-uri-to-historic-00

"Richard L. Barnes" <rbarnes@bbn.com> Mon, 22 November 2010 16:19 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6242A3A6AB4; Mon, 22 Nov 2010 08:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRC9BjCfFsFU; Mon, 22 Nov 2010 08:19:53 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id ACADC3A6A9A; Mon, 22 Nov 2010 08:19:52 -0800 (PST)
Received: from [192.1.255.215] (port=51923 helo=col-dhcp-192-1-255-215.bbn.com) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1PKZ8K-000Cei-4d; Mon, 22 Nov 2010 11:20:48 -0500
Message-Id: <C68932A1-8773-4D07-B72A-E4F05DC335E4@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: secdir@ietf.org, iesg@ietf.org, "ietf@ietf.org IETF" <ietf@ietf.org>, draft-melnikov-mailserver-uri-to-historic@tools.ietf.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 22 Nov 2010 11:20:46 -0500
X-Mailer: Apple Mail (2.936)
Subject: [secdir] secdir review of draft-melnikov-mailserver-uri-to-historic-00
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 16:19:56 -0000

I have reviewed this document as part of the security directorate's  
ongoing effort to review all IETF documents being processed by the  
IESG.  These comments were written primarily for the benefit of the  
security area directors.  Document editors and WG chairs should treat  
these comments just like any other last call comments.

As the name suggests, this document requests that IANA change the  
registration status of the "mailserver:" URI scheme to  
"Historic" (from its current status as "Provisional").  The document  
explains the lack of interoperability around this URI scheme, and  
describes better alternatives that developers should use.

I agree with the document's assessment that it does not create any new  
security concerns.  By reducing the ambiguity related to "mailserver:"  
URIs, this change in status should reduce the risk the improper  
implementations will create security vulnerabilities in software.

--Richard