Hello,
This is an attempt to summarize the discussion about the Secdir
review [1] and formulate a response.
At 03:18 04-03-10, Alexey Melnikov wrote:
RFC 5321 is also being revised by the YAM WG, so I would prefer any
such text to go there.
I presume that the Area Director would be agreeable to not making any
changes to draft-ietf-yam-rfc1652bis-03.
Dave asked for the WG's opinion [2] and made a recommendation
[3]. There hasn't been any objection to the following text for
Section 5 of draft-ietf-yam-rfc1652bis-03:
This RFC does not discuss security issues and is not is not believed to
raise any security issues not already endemic in electronic mail and
present in fully conforming implementations of [RFC5321], including
attacks facilitated by the presence of an option negotiation mechanism.
Alexey is not convinced that text discussing exploitation by malware
is needed [4]. Alessandro agrees that corrections should not be made
[5] at the cost of "leading to madness".
Ned suggested alternative text [6] and Tony Finch supported it.
"Since MIME semantics are transport neutral the 8bitMIME option provides no
added capability to disseminate malware than is provided by unextended 7bit
SMTP."
John Klensin wrote the following text [7]:
"Users of the email system should be aware that ignorant, non-conforming,
and incompetent implementations of this and other email specifications
can create vulnerabilities. Such implementations should be avoided"
I'll highlight a comment from Ned as I believe that it is pertinent
to the YAM WG's work:
"This is a path to madness, or more accurately, to a world where security
considerations contain so many obvious, irrelevant, or both issues that the
real issues specific to a given protcol or format simply get lost
in all the
other noise. And this is not a path which, if followed, will
improve overall
Internet security. To the extent it has an effect, if will be the
opposite."
As there is no strong resolve, I suggest sending the following
response to Sec-dir:
The YAM WG discussed about the issues raised during the Sec-dir review of
draft-ietf-yam-rfc1652bis-03 and concluded that:
(i) The presence of an option negotiation mechanism is not believed to
facilitate attacks or raise any security issues not already endemic
in electronic mail and present in fully conforming implementations
of RFC5321.
(ii) Since MIME semantics are transport neutral the 8bitMIME option
provides no added capability to disseminate malware than is provided
by unextended 7bit SMTP.
Regards,
S. Moonesamy
YAM WG Secretary
1. http://www.ietf.org/mail-archive/web/yam/current/msg00366.html
2. http://www.ietf.org/mail-archive/web/yam/current/msg00370.html
3. http://www.ietf.org/mail-archive/web/yam/current/msg00385.html
4. http://www.ietf.org/mail-archive/web/yam/current/msg00386.html
5. http://www.ietf.org/mail-archive/web/yam/current/msg00382.html
6. http://www.ietf.org/mail-archive/web/yam/current/msg00388.html
7. http://www.ietf.org/mail-archive/web/yam/current/msg00390.html
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
