Last Call Review of draft-kucherawy-authres-vbr-

Request Review of draft-kucherawy-authres-vbr
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-01-18
Requested 2010-12-03
Draft last updated 2011-01-10
Completed reviews Secdir Last Call review of -?? by David McGrew
Assignment Reviewer David McGrew
State Completed
Review review-kucherawy-authres-vbr-secdir-lc-mcgrew-2011-01-10
Review completed: 2011-01-10


I have reviewed this document as part of the security directorate's  

ongoing effort to review all IETF documents being processed by the  

IESG.  These comments were written primarily for the benefit of the  

security area directors.  Document editors and WG chairs should treat  

these comments just like any other last call comments.

This draft defines a way that a border mail gateway that assesses  

inbound email using VBR can use AUTHRES to pass along the results of  

its assessment to user agents or other entities such as mail filters.   

This is a sensible and useful thing to do, and the draft is  

straightforward and clear.  I have a few comments/questions.

Section 1.  It is not clear what problem is referred to in paragraph  


Section 4.

What behavior should a mail filter have upon receiving the result  

codes defined in that section?   If the recommended behavior is  

defined elsewhere (presumably [VBR]), then it should be referenced in  

this section.

What behavior should a border mail gateway have upon receiving a VBR  

response?   For instance, under what conditions (if any) should a  

border mail gateway not forward an email on which VBR has returned  

"fail"?   I would guess that this draft expects gateways to always  

forward emails, and regards a mail filter as a logically separate  

entity.  I suggest clarifying this point.

Section 6.  The Security Considerations are short, but I agree with  

what they say (that the Security Considerations of [VBR] and [AUTHRES]  

should be read and understood).