On 3/8/2010 12:33 AM, S Moonesamy wrote:
As there is no strong resolve, I suggest sending the following response
to Sec-dir:
The YAM WG discussed about the issues raised during the Sec-dir review of
draft-ietf-yam-rfc1652bis-03 and concluded that:
(i) The presence of an option negotiation mechanism is not believed to
facilitate attacks or raise any security issues not already endemic
in electronic mail and present in fully conforming implementations
of RFC5321.
(ii) Since MIME semantics are transport neutral the 8bitMIME option
provides no added capability to disseminate malware than is provided
by unextended 7bit SMTP.
This is a clear and supportable stance. And as Ned notes, a short Security
section that is valid should be defended.
I'm entirely comfortable with my name on this document, with that position.
That said...
I'll note that confusion about the exposure this option does /not/ create seems
to be pretty easy to suffer. Defending against /that/ problem is probably worth
a small amount of extra text.
The change I suggested:
> is not believed to
> raise any security issues not already endemic in electronic mail and
> present in fully conforming implementations of [RFC5321] {{ ,including
> attacks facilitated by the presence of an option negotiation mechanism.}}
Got some support.
And I have developed and even greater concern for the thinking that this type of
binary mechanism causes a malware window. I think we now have affirmative proof
that the confusion is common.
So, I'll suggest that we use Ned's text:
Since MIME semantics are transport neutral the 8bitMIME option provides no
added capability to disseminate malware than is provided by unextended 7bit
SMTP.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
