Last Call Review of draft-ietf-sieve-autoreply-
review-ietf-sieve-autoreply-secdir-lc-atkins-2010-12-03-00
Request | Review of | draft-ietf-sieve-autoreply |
---|---|---|
Requested revision | No specific revision (document currently at 04) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2010-12-02 | |
Requested | 2010-11-22 | |
Authors | Barry Leiba , Robins George , Alexey Melnikov | |
I-D last updated | 2010-12-03 | |
Completed reviews |
Secdir Last Call review of -??
by Derek Atkins
|
|
Assignment | Reviewer | Derek Atkins |
State | Completed | |
Request | Last Call review on draft-ietf-sieve-autoreply by Security Area Directorate Assigned | |
Completed | 2010-12-03 |
review-ietf-sieve-autoreply-secdir-lc-atkins-2010-12-03-00
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes how the Sieve email filtering language, along with some extensions, can be used to create automatic replies to incoming electronic mail messages based on the address book and presence information of the recipient. The security considerations section details many potential issues with automated responders. One attack that it does not mention is the potential for using the auto-responder as an oracle, in particular if the system is using any public key cryptographic methods. An attacker could, theoretically, use the auto-responder to perform timing attacks. -derek -- Derek Atkins 617-623-3745 derek at ihtfp.com www.ihtfp.com Computer and Internet Security Consultant