[Top] [All Lists]

Re: Suggested changes to address Cullen's DISCUSS on draft-ietf-sieve-3028bis-12.txt

2007-09-07 18:05:47

Cullen Jennings wrote on 9/5/07 18:03 -0700:
I think we are talking past each other  a bit so it might be very  helpful to
have a phone call at some point. Let me make sure that I  got what you are
saying here at the high level - I think your  position is roughly the

If implementors follow the advice that Lisa put in the RFC Ed note  (what
Alexey and you had sent), then it is still possible to have  massive mail
bomb style attacks using SIEVE but in practice this is  not an issues because
of a few things including 1) it is not the  weakest link of the email
infrastructure and other things are  attacked first 2) it is no worse than
currently deployed things 3)  logging can help with removing the the
offending accounts after the  fact. By massive here I mean something more
like 2^100 not 100 messages.

Do I have that about right?

[speaking as a technical contributor, not an AD]

I believe you have that about right. Indeed if you delete the first phrase and the text "using SIEVE" it states the present and historical behavior of the email system with .forward files, procmail and various other MTA-level forwarding/filtering mechanisms that have existed for decades and continue to be widely deployed and widely used.

This is one of the many cases where customers demand power tools that can be used to cause harm. Quick and dirty attempts to make those tools harmless will also make them unacceptable to customers. If our security considerations make unrealistic recommendations that vendors must ignore, that makes vendors that much more likely to ignore all the security considerations we write. I consider our specifications higher quality if we limit ourselves to realistic recommendations and avoid the impractical ones.

For now, we have years of real world experience demonstrating that received counting and logging are sufficient mitigation for this threat in today's world.

Here's an analogy:

Cars are very dangerous. It would save thousands of lives if we banned cars from driving on highways. Is that a good mitigation for the threat?

               - Chris

<Prev in Thread] Current Thread [Next in Thread>