Last Call Review of draft-ietf-extra-imap-replace-01
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11-00

Request Review of draft-ietf-extra-imap-replace
Requested rev. no specific revision (document currently at 02)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-10-16
Requested 2018-10-02
Other Reviews Genart Last Call review of -01 by Robert Sparks (diff)
Review State Completed
Reviewer Catherine Meadows
Review review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11
Posted at https://mailarchive.ietf.org/arch/msg/secdir/Xin2lBVcykdeYtGrvVrw4CWvkWA
Reviewed rev. 01 (document currently at 02)
Review result Has Nits
Draft last updated 2018-10-11
Review completed: 2018-10-11

Review
review-ietf-extra-imap-replace-01-secdir-lc-meadows-2018-10-11

Reviewer:  Catherine Meadows

Review Result: Ready With Nits

 

I have reviewed this document as part of the security directorate's 

ongoing effort to review all IETF documents being processed by the 

IESG.  These comments were written primarily for the benefit of the 

security area directors.  Document editors and WG chairs should treat 

these comments just like any other last call comments.

 

 

This draft defines an extension to IMAP that allows a REPLACE command and extends the UID command to UID REPLACE.

Previously, replaces were done by using three commands in sequence:  APPEND, STORE, and EXPUNGE.  This was non-atomic, however, and failure of one of the commands could leave messages in intermediate states that could be seen and acted on by clients.

 

The Security Considerations section reads:

 

This document is believed to add no security problems beyond those that may already exist with the base IMAP specification.  

 

I would actually go further than that:   the REPLACE command may actually prevent some potential security problems because it prevents some atomicity failures that could possibly be exploited by an attacker.

 

If this is an appropriate for the Security Considerations Section I would urge the authors to include a statement to that effect after the sentence that says the document adds no security problems.  

 

 

 

Catherine Meadows

Naval Research Laboratory

Code 5543

4555 Overlook Avenue

Washington DC, 20375

phone: 202-767-3490