OK.
Then I suggest that the Security section mention that these MUSTs may
create a security problem in disclosing that messages have been OPESed.
All the best.
jfc
At 13:48 17/08/2006, Stecher,Martin wrote:
>
>
> I am OK for alst call with the whole document except one
> security related point.
>
> section 4.
> I think that MUSTs should be replaced by SHOULDs.
This section 4 lists requirments for a
"SMTP Adaptation with Open Pluggable Edge Services (OPES)"
document.
There are four MUST requirements.
The first two are the MUST of an OPES system for OPES/SMTP to
add trace info.
This is in compliance with the application agnostic requirement
of RFC 3897 that OPES systems must add trace information.
RFC 4236 (OPES/HTTP) defines the same MUST.
I don't think we have an option to make this a SHOULD now.
The other two requirements define that the SMTP adaptation draft
must define these two bypass techniques.
It does not require that an OPES system must support these
techniques.
I can make this more obvious by writing:
o The OPES/SMTP specifications MUST define a bypass request option
that can be included in mail messages
o The OPES/SMTP specifications MUST define a bypass request option
as an extension for SMTP dialogs
> section 5.
> We should mention that there is a security problem of these
> SHOULDs are not enforced.
>
> The reason why is to permit OPES applications where there is
> no trace on mails. In particular for reverse security reasons
> (I do not want to disclose my protection strategy to protect it).
> jfc
>
Martin