Hi Abbie,
Looking at the document, draft-ietf-opes-smtp-security-00, I
suggest that the work in section 5 relate to Security Threats
and Risks for Open (RFC 3837) and state the additional risks
and counter measures that applies to the SMTP case.
RFC 3837 is one of our documents that is really application
agnostic.
RFC 3914 was too much concentrating on HTTP, that is why this
draft was written to address the SMTP specific issues in regards
to the IAB considerations handled in RFC 3914.
The Security Considerations section of RFC 3914 is very short too.
Security issues introduced by SMTP/OPES must be handled in that
draft anyway.
I think that the security section (section 5) is weak and
need to be beefed up.
If you have some beef, I'd be happy to add :-)
I did not see clear next on how notifications are addressed.
I thought RFC 3914 discussed the relationship between IAB
notifications and OPES tracing in detail.
Do you think the SMTP case should handle notifications in
an other way than via tracing or should the draft re-discuss
that relationship as it was done in RFC 3914?
Martin