Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03

Ned Freed <ned.freed@mrochek.com> Sun, 07 March 2010 18:53 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: yam@core3.amsl.com
Delivered-To: yam@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 545C528C18B for <yam@core3.amsl.com>; Sun, 7 Mar 2010 10:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdM67EBawJAE for <yam@core3.amsl.com>; Sun, 7 Mar 2010 10:53:07 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 2F46B28C175 for <yam@ietf.org>; Sun, 7 Mar 2010 10:53:07 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NKGR6W81N400F2Z1@mauve.mrochek.com> for yam@ietf.org; Sun, 7 Mar 2010 10:53:07 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01NKFX6BX70G00DRKJ@mauve.mrochek.com>; Sun, 07 Mar 2010 10:53:01 -0800 (PST)
Message-id: <01NKGR6SSL4G00DRKJ@mauve.mrochek.com>
Date: Sun, 07 Mar 2010 10:40:33 -0800 (PST)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sun, 07 Mar 2010 12:27:40 +0000" <4B939BBC.6040102@isode.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN; Format=flowed
References: <4B8E515A.6060608@isode.com> <6.2.5.6.2.20100303103218.0ba092a0@resistor.net> <4B90ED1C.8040905@tana.it> <6.2.5.6.2.20100305051249.09f24f38@resistor.net> <4B923E1E.4070201@tana.it> <6.2.5.6.2.20100306054559.08fe2908@resistor.net> <4B92DEBC.9030209@dcrocker.net> <4B939BBC.6040102@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: dcrocker@bbiw.net, yam@ietf.org
Subject: Re: [yam] [secdir] secdir review of draft-ietf-yam-rfc1652bis-03
X-BeenThere: yam@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Yet Another Mail working group discussion list <yam.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/yam>
List-Post: <mailto:yam@ietf.org>
List-Help: <mailto:yam-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yam>, <mailto:yam-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 18:53:08 -0000

> Dave CROCKER wrote:

> > On 3/6/2010 11:05 PM, S Moonesamy wrote:
> >
> >> The Last Call for draft-ietf-yam-rfc1652bis-03 ended yesterday. There
> >> wasn't
> >> any comments. This I-D will be evaluated by the IESG on March 11. I am
> >> waiting for a recommendation from Dave regarding the Secdir review.
> >
> > Folks,
> >
> > Feeling no strong resolve, myself, here's my current though:
> >
> > The relevant part of Steve Kent's review:
> >
> >> I could imagine security issues that might be associated with this
> >> document
> >> vs. 5321, since the security section of the latter document does not
> >> address
> >> any security concerns related to transfer of 8-bit data. For example,
> >> the
> >> handshake used to determine whether an SMTP sever support
> >> receipt/relay of
> >> 8-bit data might be used to target servers based on the lack of such
> >> support.
> >> One might even cite the use of this transport capability as facilitating
> >> malware transmission in e-mail attachments :.
> >
> > A Security section should cover security issues that are specific to that
> > specification; it should not contain general-purpose tutorial material
> > nor
> > should it contain material that is needed for other specification.  It
> > other words, it should cover security issues that are new.
> >
> > I suppose there is a reasonable case to be made for some coverage of
> > materials that /should/ have been covered in another document, but
> > weren't, and are relevant to the current specification.  But even that
> > concession makes the question of what to include a slippery slope, IMO.
> >
> > In any event...
> >
> > The 8bitmime option does not create the potential for using SMTP option
> > negotations as an attack vector, such as permitting discovery of which
> > servers support an option.  I therefore think it better /not/ to cite
> > that in 1652bis. Given that this style of attack is not mentioned
> > elsewhere, I suppose a small enhancement to the current text would be
> > reasonable, such as:
> >
> >    is not believed to
> >    raise any security issues not already endemic in electronic mail and
> >    present in fully conforming implementations of [RFC5321] {{ ,
> > including
> >    attacks facilitated by the presence of an option negotiation
> > mechanism.}}

> Works for me.

This is fine with me as well.

> > Even though 8bitmime is not a pure 'binary' mechanism, it does move
> > things into a binary realm.  I therefore think that it /is/ reasonable
> > to cite the potential for facilitating attacks based on use of binary
> > data.  Hence, I propose also adding the text:
> >
> >    Exploitation by malware is facilitated by supporting binary data in
> > the
> >    transfer.  The 8BITMIME option does not provide a pure binary
> > transport, but
> >    since it does transfer a nearly-binary object, there is some
> > possibility
> >    that is could facilitate exploitations of this type.

> I am not convinced this is needed, as I would like to better understand
> what the issue is. However I also like detailed Security Considerations
> sections so I wouldn't object to adding this text either.

I have to strongly object to adding this, because this is quite simply at odds
with reality. One of the main principles in MIME is to be transport neutral,
that is, the semantics of what can be tranports *do* *not* change irrespective
of whether the underlying transport is 7bit, 8bit, or binary capable.

Indeed, I have to say I'm somewhat astounded that everyone seems to have lost
sight of this very basic principle, so if we're going to clarify anything in
this secutity considerations section, it should be exactly the opposite of this
claim. Something like

  Since MIME semantics are transport neutral the 8bitMIME option provides no
  added capability to dessiminate maleare than is provided by unextended 7bit
  SMTP.

would be fine to say here.

> BTW, Arnt and myself explained to Stephen Kent the difference between
> 8BITMIME and BINARYMIME. So I think he now understands that 8BITMIME is
> not appropriate for sending arbitrary binary data.

That's true but beside the point. Unless you're going to argue that the reduced
size you can get from BINARYMIME (and to a much lesser extent 8bitMIME) is a
significant factor, there is sinmply no relevant difference in their
capabilities.

And as for the whole size thing, if we're truly worried about the existance of
some sort of virus that both can be represented in 8bit without encoding and
gains substantial benefit from the size difference due to the lack of encoding,
well, I'm afraid I'm going to have to ask for some sort of proof that such a
thing actually exists because I certainly haven't ever heard of it.

It's one thing to spend time describing an attack that's purely hypothetical
but entirely possible. It's quite another to waste time on attacks that are
entirely fanciful.

> > Anyone object, suggest different text, or additional text?

Yes, see above.

				Ned