Last Call Review of draft-ietf-morg-list-specialuse-
review-ietf-morg-list-specialuse-secdir-lc-lonvick-2010-12-16-00

Request Review of draft-ietf-morg-list-specialuse
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-12-14
Requested 2010-12-03
Other Reviews
Review State Completed
Reviewer Chris Lonvick
Review review-ietf-morg-list-specialuse-secdir-lc-lonvick-2010-12-16
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg02277.html
Draft last updated 2010-12-16
Review completed: 2010-12-16

Review
review-ietf-morg-list-specialuse-secdir-lc-lonvick-2010-12-16

Hi,



I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the IESG. 


These comments were written primarily for the benefit of the security area 


directors.  Document editors and WG chairs should treat these comments 


just like any other last call comments.






I am not altogether familiar with the placement of IMAP mailboxes to have 


a solid grasp on the subject.  Please take my comments with a grain of 


salt.  :)






You mention at the end of Section 2 that users may configure shared 


mailboxes.  Does that imply that mailboxes are not normally shared, and 


would then mean that another user would not have any access to any of the 


mailboxes identified by IMAP unless they were specifically given a common, 


shared mailbox?






An example of my concern is that the \Junk mailbox may be configured to be 


common to all the users.  In some cases, a legitimate piece of mail may be 


incorrectly marked as spam by a filter and then placed into the Junk bin. 


If that were to happen, anyone who had access to that mailbox would be 


able to see the contents of that email.






If this could happen, then a line or two in the Security Considerations 


section to alert the reader to this potential threat would address my 


concern.






Other than that, I find the document to be of good quality and ready to be 


discussed by the IESG.




Thanks,
Chris