Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

S Moonesamy <sm+ietf@elandsys.com> Fri, 05 March 2010 14:41 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D19D528C1BE for <yam@core3.amsl.com>; Fri, 5 Mar 2010 06:41:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[AWL=0.619, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GhopmCWXCl7 for <yam@core3.amsl.com>; Fri, 5 Mar 2010 06:41:53 -0800 (PST)
Received: from mail.elandsys.com (mail.elandsys.com [208.69.177.125]) by core3.amsl.com (Postfix) with ESMTP id 1A2D428C146 for <yam@ietf.org>; Fri, 5 Mar 2010 06:41:53 -0800 (PST)
Received: from SUBMAN.elandsys.com ([41.136.233.200]) (authenticated bits=0) by mail.elandsys.com (8.13.8/8.13.8) with ESMTP id o25Efl9V028482; Fri, 5 Mar 2010 06:41:52 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=elandsys.com; s=mail; t=1267800114; x=1267886514; bh=2k/mpKjfFirFKBscfRmIMxWjz5w=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=Rxa+9kZq3lQnBMY9c00J97tNof1EVf32a2eB0ccws5GQ9/uSzeL6VUowUZ3UbSo2a hQvpZXOBvJyLQ70RrBkfFa+hcsIw7L5Dfqr5LQ6owOqJEJ9Yxy+13yCuplUDK+b/rp A5fjzCM0w1qGKqcX1I5hzetbNZrrLzcijmjbq5ZI=
Message-Id: <6.2.5.6.2.20100305051249.09f24f38@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Fri, 05 Mar 2010 06:41:32 -0800
To: Alessandro Vesely <vesely@tana.it>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <4B90ED1C.8040905@tana.it>
References: <4B8E515A.6060608@isode.com> <6.2.5.6.2.20100303103218.0ba092a0@resistor.net> <4B90ED1C.8040905@tana.it>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: yam@ietf.org
Subject: Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 14:41:54 -0000

Hi Alessandro,
At 03:38 05-03-10, Alessandro Vesely wrote:
>RFC 4871 is of 2007 and reports an issue with it. Section 5.3 
>practically says that 8bit SHOULD NOT be used. I'm not sure whether 
>this is a security consideration that would incarnate Stephen's 
>concern (also because, since the "relaxed" Header Canonicalization 
>Algorithm does not take into account quotes, /any/ rfc2045 extension 
>token breaks those signatures, not just 8BITMIME.)

Section 5.3 of RFC 4871 sounds more like a deployment consideration 
instead of a security consideration.

The question from Stephen Kent [1] in response to my comment mentions 
that "binary attachments that are ideal for delivering malware are 
supported irrespective of the use of" the 8BITMIME extension.  Dave 
Crocker requested input from the WG on the secdir review [2].  His 
message gives a broader view of the matter (i.e. whether the change 
is within scope for the YAM WG).  If you have any comments, I would 
like to hear them.  I am not saying this because it is required by 
the IETF Standards process; I mean it.  It is less work for me if 
such discussions do not diverge from the issue at hand.  My position 
is that an issue was brought up during the Secdir review and I need 
an answer for the Responsible Area Director and YAM WG Chairs.

I wrote some notes about hostile content ( temporary link 
http://www.elandsys.com/resources/mail/draft-moonesamy-mail-security-00.txt 
).  It is not meant to be used as input for YAM WG work.

Regards,
S. Moonesamy

1. http://www.ietf.org/mail-archive/web/yam/current/msg00368.html
2. http://www.ietf.org/mail-archive/web/yam/current/msg00370.html