Last Call Review of draft-ietf-eai-rfc5336bis-
review-ietf-eai-rfc5336bis-secdir-lc-atkins-2011-10-28-00

Request Review of draft-ietf-eai-rfc5336bis
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-10-18
Requested 2011-10-07
Draft last updated 2011-10-28
Completed reviews Secdir Last Call review of -?? by Derek Atkins
Assignment Reviewer Derek Atkins
State Completed
Review review-ietf-eai-rfc5336bis-secdir-lc-atkins-2011-10-28
Review completed: 2011-10-28

Review
review-ietf-eai-rfc5336bis-secdir-lc-atkins-2011-10-28

Sorry, that previous email was a review of draft-ietf-eai-rfc5336bis-14.txt.
I appologize for any confusion.

-derek

Derek Atkins <derek at ihtfp.com> writes:

> Hi,
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
>    This document specifies an SMTP extension for transport and delivery
>    of email messages with internationalized email addresses or header
>    information.
>
> The security considerations sections lists a number of issues to
> consider with this document, and presents the issues well.  It does
> not go into particular depth about what could happen if those issues
> are not addressed.
>
> For example, 3.7.2 mentions "surprising rejections" but doesn't go
> into any depth beyond that nor does it explain what other failures can
> happen.
>
> Operationally it might be hard to make sure that all or none of the MX
> servers support UTF8SMTPbis, especially if the MX servers might MX for
> multiple domains, or be under different operational control.  What are
> the situations where mixed-MX support will work or fail?  Should MX
> servers need the ability to turn on or off support for this protocol
> on a per-domain basis to protect against these types of failures?
>
> Thanks,
>
> -derek

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant