Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
S Moonesamy <sm+ietf@elandsys.com> Wed, 03 March 2010 19:14 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBBBC28B797; Wed, 3 Mar 2010 11:14:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.046
X-Spam-Level:
X-Spam-Status: No, score=-1.046 tagged_above=-999 required=5 tests=[AWL=0.934, BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6XBGDZlCZqB; Wed, 3 Mar 2010 11:14:42 -0800 (PST)
Received: from mail.elandsys.com (mail.elandsys.com [208.69.177.125]) by core3.amsl.com (Postfix) with ESMTP id E8FE93A8C07; Wed, 3 Mar 2010 11:14:41 -0800 (PST)
Received: from SUBMAN.elandsys.com ([41.136.239.138]) (authenticated bits=0) by mail.elandsys.com (8.13.8/8.13.8) with ESMTP id o23JEWP7001778; Wed, 3 Mar 2010 11:14:38 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=elandsys.com; s=mail; t=1267643681; x=1267730081; bh=xx4AY9R59sCPOJlQ/koqxakGb8A=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=gQMR+tDRFtgx/2rMpaMmSvQA5xS2xtoMKhZUaJa02yuxPX1aEETUGt7UBcbS5Vxcl fjPgv8q2b5gLvCIPVzHEsuzG1+Y9XSrPBXKgqZ0XW1UlOhG+dUpCCKZthvRj5Tbdfx r9AKG68IdShgVLKHmzmjsLaNLk/VVF7LPDyhZsIc=
Message-Id: <6.2.5.6.2.20100303103218.0ba092a0@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Wed, 03 Mar 2010 11:14:13 -0800
To: Stephen Kent <kent@bbn.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <4B8E515A.6060608@isode.com>
References: <4B8E515A.6060608@isode.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: yam@ietf.org, secdir@ietf.org
Subject: Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 19:14:44 -0000
Hi Stephen, Thank you for your review. At 04:08 03-03-10, Alexey Melnikov forwarded: >From: Stephen Kent <kent@bbn.com> >Subject: [secdir] secdir review of draft-ietf-yam-rfc1652bis-03 [snip] >This is a very, very brief document that is targeted to obsolete RFC >1652. It addresses transport of 8-bit (vs. ASCII) data via SMTP, >consistent with carriage of MIME 8BIT content encoding. This >document is part of the YAM effort, updating the series of Internet >email standards. This part of the effort is to move 8BITMIME to Full Standard. This document does not change the 8BITMIME specification as defined in RFC 1652. There was a pre-evaluation and a Sec-dir review prior to this document ( http://www.ietf.org/mail-archive/web/secdir/current/msg01064.html ). It would have been helpful if the YAM WG got a review of RFC 1652 at that time but that did not happen probably due to miscommunication about the process. Please note that there hasn't been any reports of security issues with this 16 year old specification. >The security considerations section consists of only one sentence: >"This RFC does not discuss security issues and is not believed to >raise any security issues not already endemic in electronic mail and >present in fully conforming implementations of [RFC5321]." RFC 5321 >(the updated SMTP spec) has an extensive security considerations >section, so this is a reasonable reference. I could imagine security >issues that might be associated with this document vs. 5321, since >the security section of the latter document does not address any >security concerns related to transfer of 8-bit data. For example, >the handshake used to determine whether an SMTP sever support >receipt/relay of 8-bit data might be used to target servers based on >the lack of such support. One might even cite the use of this >transport capability as facilitating malware transmission in e-mail attachments I don't understand your concern in regards to the 8-bit data transfer. If you mean that support for this SMTP extension could be used to identify SMTP servers which do not support it, that is correct. There is some text about 8-bit message content transmission in Section 2.4 of RFC 5321. This transport capability does not facilitate malware transmission as email attachments can still be sent even if the SMTP client or server does not support the 8BITMIME extension. It is only a matter of using MIME for the 5322 message. Could you please clarify the security issues you have in mind so that I can bring them to the attention of the authors of this document? Regards, S. Moonesamy
- [yam] [Fwd: [secdir] secdir review of draft-ietf-… Alexey Melnikov
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Stephen Kent
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… S Moonesamy
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… Dave CROCKER
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Alexey Melnikov
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… Barry Leiba
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… John C Klensin
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… John C Klensin
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Alessandro Vesely
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Ned Freed
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Barry Leiba
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Ned Freed
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… John C Klensin
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Alessandro Vesely
- Re: [yam] [secdir] secdir review of draft-ietf-ya… John C Klensin
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Dave CROCKER
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Alexey Melnikov
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Ned Freed
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Tony Finch
- Re: [yam] [secdir] secdir review of draft-ietf-ya… John C Klensin
- Re: [yam] [Fwd: [secdir] secdir review of draft-i… Ned Freed
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Alessandro Vesely
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Arnt Gulbrandsen
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Dave CROCKER
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… S Moonesamy
- Re: [yam] [secdir] secdir review of draft-ietf-ya… Stephen Kent