Last Call Review of draft-ietf-extra-imap-replace-01
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11-00
| Request | Review of | draft-ietf-extra-imap-replace |
|---|---|---|
| Requested revision | No specific revision (document currently at 03) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2018-10-16 | |
| Requested | 2018-10-02 | |
| Authors | Stuart Brandt | |
| Draft last updated | 2018-10-11 | |
| Completed reviews |
Genart Last Call review of -01
by
Robert Sparks
(diff)
Secdir Last Call review of -01 by Catherine Meadows (diff) Opsdir Last Call review of -02 by Scott O. Bradner (diff) |
|
| Assignment | Reviewer | Catherine Meadows |
| State | Completed | |
| Review |
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11
|
|
| Reviewed revision | 01 (document currently at 03) | |
| Result | Has Nits | |
| Completed | 2018-10-11 |
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11-00
Reviewer: Catherine Meadows Review Result: Ready With Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines an extension to IMAP that allows a REPLACE command and extends the UID command to UID REPLACE. Previously, replaces were done by using three commands in sequence: APPEND, STORE, and EXPUNGE. This was non-atomic, however, and failure of one of the commands could leave messages in intermediate states that could be seen and acted on by clients. The Security Considerations section reads: This document is believed to add no security problems beyond those that may already exist with the base IMAP specification. I would actually go further than that: the REPLACE command may actually prevent some potential security problems because it prevents some atomicity failures that could possibly be exploited by an attacker. If this is an appropriate for the Security Considerations Section I would urge the authors to include a statement to that effect after the sentence that says the document adds no security problems. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Avenue Washington DC, 20375 phone: 202-767-3490