Sieve Email Filtering: Extension for Notifications
Note: This ballot was opened for revision 12 and is now closed.
(Lisa Dusseault) Yes
(Jari Arkko) No Objection
(Ron Bonica) No Objection
(Ross Callon) No Objection
(Lars Eggert) (was No Record, No Objection) No Objection
(Sam Hartman) No Objection
(Russ Housley) No Objection
Comment (2007-12-19 for -)
From Gen-ART Review by Pasi Eronen. The document effectively creates a new "name space" for notification-capability values, and defines a single value "online". Shouldn't this be included in the IANA considerations section, requesting IANA to maintain a registry for notification-capability values?
(Cullen Jennings) (was Discuss, No Objection, Discuss) No Objection
(Chris Newman) (was Yes) No Objection
Comment (2007-12-20 for -)
In response to Cullen's discuss, it is possible to construct parameters from message content using the Sieve variables extension, as the last paragraph in the security considerations points out. That paragraph points out the need for URL encoding of the parameters, but does not discuss the security implications of generating the address from message content. While I suspect most implementers/users would not be foolish enough to do that, particularly because the syntax gets so grotty, it wouldn't hurt to mention how dangerous that is. One simple remedy for the threat would be to simply disallow use of sieve variables in the method parameter of the notify command via script analysis. Note that I would not discuss over this issue, but I do think a brief comment on this issue in the security considerations would improve the document. My previous comments: An issue with nomenclature that I recommend fixing. This document uses the term "importance" with a completely different meaning from the "importance" header in the Header Registry. Indeed, in this document, the term "importance" has the same meaning as the "priority" header in the mail headers registry and the "urgency" header in the XMPP registry. I would prefer this used consistent terminology. I recommend ":urgency" or ":priority" instead of ":importance". I understand the change would be annoying this late in the process given the notify XMPP document has to be updated as well, which is why I'm not making this a discuss issue. But please consider this seriously. One nit. The IANA registration template for notification mechanisms (section 9.2) uses "Standards Track/IESG-approved experimental RFC number:" in the template, but that registry uses the "Specification Required" policy that does not require standards track processing or IESG approval. I suggest the template use "Permanent and readily available reference:" to avoid confusion.
(Jon Peterson) No Objection
(Tim Polk) No Objection
Comment (2007-12-19 for -)
Sean Turner's secdir review raised some Last Call issues that merit further review.