Re: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

S Moonesamy <sm+ietf@elandsys.com> Wed, 03 March 2010 19:14 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBBBC28B797; Wed, 3 Mar 2010 11:14:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.046
X-Spam-Level:
X-Spam-Status: No, score=-1.046 tagged_above=-999 required=5 tests=[AWL=0.934, BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6XBGDZlCZqB; Wed, 3 Mar 2010 11:14:42 -0800 (PST)
Received: from mail.elandsys.com (mail.elandsys.com [208.69.177.125]) by core3.amsl.com (Postfix) with ESMTP id E8FE93A8C07; Wed, 3 Mar 2010 11:14:41 -0800 (PST)
Received: from SUBMAN.elandsys.com ([41.136.239.138]) (authenticated bits=0) by mail.elandsys.com (8.13.8/8.13.8) with ESMTP id o23JEWP7001778; Wed, 3 Mar 2010 11:14:38 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=elandsys.com; s=mail; t=1267643681; x=1267730081; bh=xx4AY9R59sCPOJlQ/koqxakGb8A=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=gQMR+tDRFtgx/2rMpaMmSvQA5xS2xtoMKhZUaJa02yuxPX1aEETUGt7UBcbS5Vxcl fjPgv8q2b5gLvCIPVzHEsuzG1+Y9XSrPBXKgqZ0XW1UlOhG+dUpCCKZthvRj5Tbdfx r9AKG68IdShgVLKHmzmjsLaNLk/VVF7LPDyhZsIc=
Message-Id: <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Wed, 03 Mar 2010 11:14:13 -0800
To: Stephen Kent <kent@bbn.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <4B8E515A.6060608@isode.com>
References: <4B8E515A.6060608@isode.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailman-Approved-At: Wed, 03 Mar 2010 23:17:34 -0800
Cc: yam@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 19:14:44 -0000

Hi Stephen,

Thank you for your review.

At 04:08 03-03-10, Alexey Melnikov forwarded:
>From: Stephen Kent <kent@bbn.com>
>Subject: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

[snip]

>This is a very, very brief document that is targeted to obsolete RFC 
>1652. It addresses transport of 8-bit (vs. ASCII) data via SMTP, 
>consistent with carriage of MIME 8BIT content encoding. This 
>document is part of the YAM effort, updating the series of Internet 
>email standards.

This part of the effort is to move 8BITMIME to Full Standard.  This 
document does not change the 8BITMIME specification as defined in RFC 
1652.  There was a pre-evaluation and a Sec-dir review prior to this 
document ( 
http://www.ietf.org/mail-archive/web/secdir/current/msg01064.html 
).  It would have been helpful if the YAM WG got a review of RFC 1652 
at that time but that did not happen probably due to miscommunication 
about the process.  Please note that there hasn't been any reports of 
security issues with this 16 year old specification.

>The security considerations section consists of only one sentence: 
>"This RFC does not discuss security issues and is not believed to 
>raise any security issues not already endemic in electronic mail and 
>present in fully conforming implementations of [RFC5321]." RFC 5321 
>(the updated SMTP spec) has an extensive security considerations 
>section, so this is a reasonable reference. I could imagine security 
>issues that might be associated with this document vs. 5321, since 
>the security section of the latter document does not address any 
>security concerns related to transfer of 8-bit data. For example, 
>the handshake used to determine whether an SMTP sever support 
>receipt/relay of 8-bit data might be used to target servers based on 
>the lack of such support. One might even cite the use of this 
>transport capability as facilitating malware transmission in e-mail attachments

I don't understand your concern in regards to the 8-bit data 
transfer.  If you mean that support for this SMTP extension could be 
used to identify SMTP servers which do not support it, that is 
correct.  There is some text about 8-bit message content transmission 
in Section 2.4 of RFC 5321.

This transport capability does not facilitate malware transmission as 
email attachments can still be sent even if the SMTP client or server 
does not support the 8BITMIME extension.  It is only a matter of 
using MIME for the 5322 message.

Could you please clarify the security issues you have in mind so that 
I can bring them to the attention of the authors of this document?

Regards,
S. Moonesamy