Skip to main content

Last Call Review of draft-ietf-extra-imap-replace-01
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11-00

Request Review of draft-ietf-extra-imap-replace
Requested revision No specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-10-16
Requested 2018-10-02
Authors Stuart Brandt
Draft last updated 2018-10-11
Completed reviews Genart Last Call review of -01 by Robert Sparks (diff)
Secdir Last Call review of -01 by Catherine Meadows (diff)
Opsdir Last Call review of -02 by Scott O. Bradner (diff)
Assignment Reviewer Catherine Meadows
State Completed
Review review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11
Reviewed revision 01 (document currently at 03)
Result Has Nits
Completed 2018-10-11
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11-00
Reviewer:  Catherine Meadows

Review Result: Ready With Nits

I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.

This draft defines an extension to IMAP that allows a REPLACE command and
extends the UID command to UID REPLACE.

Previously, replaces were done by using three commands in sequence:  APPEND,
STORE, and EXPUNGE.  This was non-atomic, however, and failure of one of the
commands could leave messages in intermediate states that could be seen and
acted on by clients.

The Security Considerations section reads:

This document is believed to add no security problems beyond those that may
already exist with the base IMAP specification.

I would actually go further than that:   the REPLACE command may actually
prevent some potential security problems because it prevents some atomicity
failures that could possibly be exploited by an attacker.

If this is an appropriate for the Security Considerations Section I would urge
the authors to include a statement to that effect after the sentence that says
the document adds no security problems.

Catherine Meadows

Naval Research Laboratory

Code 5543

4555 Overlook Avenue

Washington DC, 20375

phone: 202-767-3490