[secdir] SecDir review of draft-leiba-5322upd-from-group-06

Warren Kumari <warren@kumari.net> Thu, 25 October 2012 14:27 UTC

Return-Path: <warren@kumari.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AD78F21F8973; Thu, 25 Oct 2012 07:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.215
X-Spam-Status: No, score=-102.215 tagged_above=-999 required=5 tests=[AWL=0.384, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id TxgL9SZkj9ak; Thu, 25 Oct 2012 07:27:43 -0700 (PDT)
Received: from vimes.kumari.net (smtp1.kumari.net []) by ietfa.amsl.com (Postfix) with ESMTP id 35DBC21F8971; Thu, 25 Oct 2012 07:27:42 -0700 (PDT)
Received: from [] (unknown []) by vimes.kumari.net (Postfix) with ESMTPSA id 170E11B401FB; Thu, 25 Oct 2012 10:27:42 -0400 (EDT)
From: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Date: Thu, 25 Oct 2012 10:27:41 -0400
Message-Id: <72AF5BB1-CDFC-480F-AFA9-713AA178765B@kumari.net>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-leiba-5322upd-from-group.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Subject: [secdir] SecDir review of draft-leiba-5322upd-from-group-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2012 14:27:43 -0000

I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document updates RFC5322 to allow group syntax in From: and Sender: (and "Resent-
   From:" and "Resent-Sender:").

I found the security considerations section to be well written, clear and complete (enough!). It appears that the author has considered and explained the security implications of the changes.
As From: addresses are frequently spoofed (and contain random crap), they are treated as untrusted data, and so this does not seem to significantly change the threat model.

As a general note I think that it could be made clearer *why* this is being done -- this document does a good job of explaining *how* this change gets implemented, and the implications of this change, but the reason why remains kinda vague to me-- I'm not an email geek, so it may be blindingly obvious to others. There is some use case text about "group syntax evolving" and EAI, but for someone not skilled in the art it doesn't communicate much.
Anyway, this is just a general observation…



There are only 10 types of people in this world -- those who understand binary arithmetic and those who don't.