Skip to main content

Last Call Review of draft-ietf-imapapnd-appendlimit-extension-07

Request Review of draft-ietf-imapapnd-appendlimit-extension
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-01-01
Requested 2015-12-22
Authors Jayantheesh , Narendra Singh Bisht
I-D last updated 2016-01-07
Completed reviews Genart Last Call review of -07 by Peter E. Yee (diff)
Secdir Last Call review of -07 by Paul Wouters (diff)
Opsdir Last Call review of -07 by Sarah Banks (diff)
Assignment Reviewer Paul Wouters
State Completed
Request Last Call review on draft-ietf-imapapnd-appendlimit-extension by Security Area Directorate Assigned
Reviewed revision 07 (document currently at 10)
Result Ready
Completed 2016-01-07
I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the 

IESG.  These comments were written primarily for the benefit of the 

security area directors.  Document editors and WG chairs should treat 

these comments just like any other last call comments.

This document is Ready

The document describes an IMAP extension to convey a limit size for
appending to a mailbox. This prevents situations where the clients
upload data only to have it rejected by the server. The security
considerations are therefor limited in scope, as it is more of an
optimization. The only item mentioned in the section is that an
attacker that knows the limit could optimize their attack by sending
better matching sized payloads for a denial-of-service attack, and
servers should disconnect such clients as abusive. I believe that
it correctly covers any new security risks that could arise from this
document's specification. And that this issue is very minor compared
to other DOS attacks possible by malicious clients that can successfully
authenticate against the IMAP server.