Last Call Review of draft-kucherawy-authres-spf-erratum-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
The purpose of this ID is summed up in the introduction as follows:
[RFC 5451] defined a new header field for electronic mail messages
that presents the results of a message authentication effort in a
machine-readable format. That Request For Comments created a
registry of results for a few message authentication mechanisms, one
of which was the Sender Policy Framework [SPF]. The registry
contains one entry that is inconsistent with the latter
specification, which was noted in an erratum filed with the RFC
Editor. This memo updates the IANA registries accordingly.
The inconsistent header entry identifies the case in which an evaluation
according to RFC 4408 fails. The result of failing such an evaluation is that
the client is explicitly not authorized to inject or relay mail using the sender's DNS
domain. RFC 5451 gave "hardfail" as the result to be listed here, while RFC 4408 used "fail"
to mean the same thing. The purpose of this ID is to recommend that IANA mark
"hardfail" as deprecated and amend the "fail" entry appropriately.
This ID is definitely security relevant, as use of the wrong header could
cause a failure to recognize a failed authorization. Thus in the Security Considerations
section the authors say that "cautious implementers may wish to support both
result strings for some period of time."
One quibble: I believe that the above is good advice, but it seems a little hesitant. Why the use
of the words "cautious" and "may"? Why not say that "we recommend that"? Even if failure
to recognize a failed authorization doesn't lead to any immediate security problem,
it could prevent recognition of a potential attack, or more benignly, of a possible
Naval Research Laboratory
4555 Overlook Ave., S.W.
Washington DC, 20375
catherine.meadows at nrl.navy.mil