Last Call Review of draft-ietf-imapapnd-appendlimit-extension-07
review-ietf-imapapnd-appendlimit-extension-07-secdir-lc-wouters-2016-01-07-00

I have reviewed this document as part of the security directorate's


ongoing effort to review all IETF documents being processed by the 


IESG.  These comments were written primarily for the benefit of the 


security area directors.  Document editors and WG chairs should treat 


these comments just like any other last call comments.




This document is Ready

The document describes an IMAP extension to convey a limit size for
appending to a mailbox. This prevents situations where the clients
upload data only to have it rejected by the server. The security
considerations are therefor limited in scope, as it is more of an
optimization. The only item mentioned in the section is that an
attacker that knows the limit could optimize their attack by sending
better matching sized payloads for a denial-of-service attack, and
servers should disconnect such clients as abusive. I believe that
it correctly covers any new security risks that could arise from this
document's specification. And that this issue is very minor compared
to other DOS attacks possible by malicious clients that can successfully
authenticate against the IMAP server.

Paul