Last Call Review of draft-leiba-5322upd-from-group-

Request Review of draft-leiba-5322upd-from-group
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-11-08
Requested 2012-10-11
Authors Barry Leiba
Draft last updated 2012-11-01
Completed reviews Genart Last Call review of -?? by Roni Even
Genart Telechat review of -?? by Roni Even
Secdir Last Call review of -?? by Warren Kumari
Assignment Reviewer Warren Kumari 
State Completed
Review review-leiba-5322upd-from-group-secdir-lc-kumari-2012-11-01
Review result Ready
Review completed: 2012-11-01


I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document updates RFC5322 to allow group syntax in From: and Sender: (and "Resent-
   From:" and "Resent-Sender:").

I found the security considerations section to be well written, clear and complete (enough!). It appears that the author has considered and explained the security implications of the changes.
As From: addresses are frequently spoofed (and contain random crap), they are treated as untrusted data, and so this does not seem to significantly change the threat model.

As a general note I think that it could be made clearer *why* this is being done -- this document does a good job of explaining *how* this change gets implemented, and the implications of this change, but the reason why remains kinda vague to me-- I'm not an email geek, so it may be blindingly obvious to others. There is some use case text about "group syntax evolving" and EAI, but for someone not skilled in the art it doesn't communicate much.
Anyway, this is just a general observation…



There are only 10 types of people in this world -- those who understand binary arithmetic and those who don't.