Re: [Gen-art] Genart last call review of draft-ietf-jmap-smime-07

Tue, 07 Sep 2021 21:20:05 -0700 

Thanks for that Bron. I suspected there was a discussion about this topic in
the WG, but that it simply wasn't reflected in the I-D. For those of us who
haven't kept up, adding a little bit of that discussion into the
introductory material would help a lot. 

 

                                Kind regards,

                                -Peter

 

From: Bron Gondwana <br...@fastmailteam.com> 
Sent: Tuesday, September 07, 2021 5:10 AM
To: Peter Yee <pe...@akayla.com>; gen-art@ietf.org
Cc: draft-ietf-jmap-smime....@ietf.org; j...@ietf.org; last-c...@ietf.org
Subject: Re: Genart last call review of draft-ietf-jmap-smime-07

 

On Tue, Sep 7, 2021, at 17:00, Peter Yee via Datatracker wrote:

Summary: This document provides a JMAP extension that allows the JMAP server
to

provide its thoughts on the verification of a messages S/MIME signature.
While

the details of the extension seem fine, I'm not convinced that the rationale

for it and the consequences of trusting the server to perform the
verification

are well described. [Ready with issues]

 

Thanks for the detailed review Peter!  I'll leave the specific nits to
Alexey as author.  Good point with the "rationale for trusting the server".
We did discuss this during the early meetings when this draft came up, and
considered that this would most likely be used within an organisation which
controls both the client and the server.  JMAP is particularly well suited
to very simple and light-weight clients.

 

It's envisioned that JMAP clients may even be a simple widget which displays
some details like mailbox counters or previews of the most recent few
messages.  By having the server side do S/MIME validation, a client can
simply check a property to display an icon next to a preview without being a
full S/MIME client.  Obviously this isn't something you would do where you
didn't trust the server absolutely!

 

It seems reasonable to me to add some text that summarizes this
understanding in the introduction, along with the existing "requires the
client to trust server verification code" in the security considerations.

 

Cheers,

 

Bron.

 

 

--

  Bron Gondwana, CEO, Fastmail Pty Ltd

  br...@fastmailteam.com <mailto:br...@fastmailteam.com> 

 

 


_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art

Reply via email to