Last Call Review of draft-ietf-sieve-autoreply-
review-ietf-sieve-autoreply-secdir-lc-atkins-2010-12-03-00
| Request | Review of | draft-ietf-sieve-autoreply |
|---|---|---|
| Requested revision | No specific revision (document currently at 04) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2010-12-02 | |
| Requested | 2010-11-22 | |
| Authors | Barry Leiba , Robins George , Alexey Melnikov | |
| I-D last updated | 2010-12-03 | |
| Completed reviews |
Secdir Last Call review of -??
by Derek Atkins
|
|
| Assignment | Reviewer | Derek Atkins |
| State | Completed | |
| Request | Last Call review on draft-ietf-sieve-autoreply by Security Area Directorate Assigned | |
| Completed | 2010-12-03 |
review-ietf-sieve-autoreply-secdir-lc-atkins-2010-12-03-00
Hi,
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This document describes how the Sieve email filtering language, along
with some extensions, can be used to create automatic replies to
incoming electronic mail messages based on the address book and
presence information of the recipient.
The security considerations section details many potential issues with
automated responders. One attack that it does not mention is the
potential for using the auto-responder as an oracle, in particular if
the system is using any public key cryptographic methods. An attacker
could, theoretically, use the auto-responder to perform timing attacks.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant