Re: Comments on draft-melnikov-sieve-external-lists-02.txt

Ned Freed <ned.freed@mrochek.com> Fri, 24 July 2009 13:07 UTC

Return-Path: <owner-ietf-mta-filters@mail.imc.org>
X-Original-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Delivered-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9356E3A6CC7 for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Fri, 24 Jul 2009 06:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.256
X-Spam-Level:
X-Spam-Status: No, score=-2.256 tagged_above=-999 required=5 tests=[AWL=0.343, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAqA3QC-WCm4 for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Fri, 24 Jul 2009 06:07:19 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 4F3523A6862 for <sieve-archive-Aet6aiqu@ietf.org>; Fri, 24 Jul 2009 06:07:19 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6OCv776093930 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Jul 2009 05:57:07 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6OCv7TM093928; Fri, 24 Jul 2009 05:57:07 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6OCuuQi093916 for <ietf-mta-filters@imc.org>; Fri, 24 Jul 2009 05:57:07 -0700 (MST) (envelope-from ned.freed@mrochek.com)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NBOQZKO6V40089U7@mauve.mrochek.com> for ietf-mta-filters@imc.org; Fri, 24 Jul 2009 05:56:53 -0700 (PDT)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NBO2ULHOF400007A@mauve.mrochek.com>; Fri, 24 Jul 2009 05:56:50 -0700 (PDT)
Date: Fri, 24 Jul 2009 05:55:10 -0700
From: Ned Freed <ned.freed@mrochek.com>
Subject: Re: Comments on draft-melnikov-sieve-external-lists-02.txt
In-reply-to: "Your message dated Thu, 23 Jul 2009 22:48:50 +0100" <f470f68e0907231448n764a85deo9b490cbf26e13008@mail.gmail.com>
To: Robert Burrell Donkin <robertburrelldonkin@gmail.com>
Cc: Ned Freed <ned.freed@mrochek.com>, Дилян Палаузов <dilyan.palauzov@aegee.org>, Alexey Melnikov <alexey.melnikov@isode.com>, ietf-mta-filters@imc.org
Message-id: <01NBOQZIKDF000007A@mauve.mrochek.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset="ISO-8859-1"
Content-transfer-encoding: 8bit
References: <371C2EEC-8CBD-4AC1-B07A-928352E19DCB@pobox.com> <F4A90756-9251-4CB8-9776-77F3202617A5@pobox.com> <01NB1TV04NJS001ML6@mauve.mrochek.com> <4A54701C.6080107@isode.com> <01NB2RB8UTA4001ML6@mauve.mrochek.com> <4A636837.7010105@isode.com> <01NBI4IUBYSY00007A@mauve.mrochek.com> <4A63732F.4030307@isode.com> <4A6376F9.5020509@aegee.org> <01NBII89YRHO00007A@mauve.mrochek.com> <f470f68e0907231448n764a85deo9b490cbf26e13008@mail.gmail.com>
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>

> 2009/7/20 Ned Freed <ned.freed@mrochek.com>:
> >
> >
> >> Hello,
> >
> >> > Would we need to have :list-is, :list-matches, :list-contains, or can we
> >> > get away with just :list, which would check for the exact match?
> >
> >> As far as I understood Ned, it is the list who decides on the exact
> >> match type : it is not up to the script to prescribe the matching. So
> >> "just :list".
> >
> >> Any use cases where :list-is, :list-contains ... make sense and "just
> >> :list" would be insufficient?
> >
> > Sure, you can have lists that support more than one kind of matching,
> > although
> > I expect such cases to be the exception rather than the rule. In such cases
> > I
> > would propose that the type of matching be embedded in the list name
> > somehow.
> >
> > This then gets to the idea of using URLs for list names. A tag: URL is of
> > course completely capable of handling additional embedded material. Other
> > URL schemes, not so much. In fact I'm not entirely sure how this is supposed
> > to
> > work with LDAP URLs with reasonable efficiency.
> >
> > Consider the fairly typical case of whitelisting based on a personal address
> > book in LDAP. Assuming everyone is OK with users being able to construct
> > and perform their own LDAP searches and have no problem knowing and hard
> > coding
> > the base DN of their entries (both very big ifs), this would call for
> > something
> > like:
> >
> >  if address :list "from"
> >     "ldap:///cn=me,o=pab?mail?sub?(objectclass=regularentry)" {
> >     ... whitelist ...
> >  }
> >
> > The problem with this is we're again back to enumeration - that URL produces
> > a (potentially very large) list of addresses, which would have to be
> > compared
> > one by one to the address(es) extracted from the "from" field.
> >
> > But consider the URL:
> >
> >  ldap:///cn=me,o=pab?mail?sub?(&(objectclass=regularentry)(mail=a@b))
> >
> > This flips the problem around - now the address you're looking for is
> > specified
> > in the URL itself. Now it's up to the LDAP server to find the match, and the
> > simple fact it returned a response is enough to conclude the address is on
> > the
> > list.
> >
> > This is much more efficient, especially if the LDAP server has proper
> > indexing.
> > But now the URL is something that has to be constructed by knowing what
> > you're
> > searching for.
> >
> > I will also note that LDAP URLs can embed very complex matching criteria of
> > their own.
> >
> > Now, I guess I have no problem with using tag: URLs that end up getting
> > converted to the more efficient LDAP URLs seen here. But I really have to
> > question whether anyone is actually going to allow, as the specification
> > implies, the direct use of LDAP URLs or other URLs with similar
> > characteristics.

> +1

> the Sieve engine will face problems of semantics, resolution and
> authentication with direct URLs

The last item is an important point. Anyone who allows, say LDAP URls, is going
to have a fun time analyzing those URls to make sure they don't do  anything
naughty.

				Ned