Last Call Review of draft-ietf-imapapnd-appendlimit-extension-07

Request Review of draft-ietf-imapapnd-appendlimit-extension
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-01-01
Requested 2015-12-22
Draft last updated 2016-01-07
Completed reviews Genart Last Call review of -07 by Peter Yee (diff)
Secdir Last Call review of -07 by Paul Wouters (diff)
Opsdir Last Call review of -07 by Sarah Banks (diff)
Assignment Reviewer Paul Wouters
State Completed
Review review-ietf-imapapnd-appendlimit-extension-07-secdir-lc-wouters-2016-01-07
Reviewed rev. 07 (document currently at 10)
Review result Ready
Review completed: 2016-01-07


I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the 

IESG.  These comments were written primarily for the benefit of the 

security area directors.  Document editors and WG chairs should treat 

these comments just like any other last call comments.

This document is Ready

The document describes an IMAP extension to convey a limit size for
appending to a mailbox. This prevents situations where the clients
upload data only to have it rejected by the server. The security
considerations are therefor limited in scope, as it is more of an
optimization. The only item mentioned in the section is that an
attacker that knows the limit could optimize their attack by sending
better matching sized payloads for a denial-of-service attack, and
servers should disconnect such clients as abusive. I believe that
it correctly covers any new security risks that could arise from this
document's specification. And that this issue is very minor compared
to other DOS attacks possible by malicious clients that can successfully
authenticate against the IMAP server.