Re: [secdir] SECDIR Review of draft-ietf-morg-multimailbox-search-06

Samuel Weiler <weiler@watson.org> Thu, 03 March 2011 13:54 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D533A6884; Thu, 3 Mar 2011 05:54:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8sfnAFsTQzD; Thu, 3 Mar 2011 05:54:46 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 068513A6866; Thu, 3 Mar 2011 05:54:45 -0800 (PST)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id p23DtnmZ009445; Thu, 3 Mar 2011 08:55:49 -0500 (EST) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id p23Dtmc0009442; Thu, 3 Mar 2011 08:55:49 -0500 (EST) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Thu, 3 Mar 2011 08:55:48 -0500 (EST)
From: Samuel Weiler <weiler@watson.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <AANLkTinMxqZqzdpT6ycAPAx4OxztAdv04DAT=hmg2=te@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.1103030851310.7972@fledge.watson.org>
References: <AANLkTi=dK8tZibPfR2F+s5rZ8OEsafgHBSk0_Ein-G0w@mail.gmail.com> <alpine.BSF.2.00.1102260635310.9639@fledge.watson.org> <AANLkTinMxqZqzdpT6ycAPAx4OxztAdv04DAT=hmg2=te@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-1335935227-1299160549=:7972"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 03 Mar 2011 08:55:49 -0500 (EST)
Cc: Alexey.Melnikov@isode.com, Barry Leiba <barryleiba@computer.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SECDIR Review of draft-ietf-morg-multimailbox-search-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 13:54:46 -0000

>> If the user specifies some mailbox(es) which she doesn't have access rights
>> to AND some mailbox(es) which she can access, the doc says to IGNORE the
>> ones she can't access.  Wouldn't it be more useful to send an error for
>> those mailboxes rather than silently fail?

> I don't see any value there.
>
> If the user is not permitted access to a mailbox, they don't get the
> information. There might be value sending the notice to an exception
> log, but it does not make much sense to send it to the user's client.
> If the user is trying to maliciously access material they should not,
> what would be the value in telling them?

I'm thinking about this the other way around: if we're dealing with 
the (perhaps more common) case of misconfiguration rather than malice, 
this delivers a poor user experience.  With a silent failure, the user 
is likely to be misled into assuming that no messages matched the 
search.

> The use case that would likely arise for this would be where there 
> are shared folders (e.g. mailing lists) in some sort of hierarchy.

Yep.

-- Sam