All,
I have done a very quick review of draft-ietf-opes-smtp-security-01
http://www.ietf.org/internet-drafts/draft-ietf-opes-smtp-security-01.txt
Based on the very quick review, I think that my previous concerns are
addressed.
Abbie
-----Original Message-----
From: owner-ietf-openproxy(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-openproxy(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of
Stecher,Martin
Sent: Thursday, August 17, 2006 7:06 AM
To: OPES Group
Subject: RE: [opes] draft-ietf-opes-smtp-security-00
Hi Abbie,
Looking at the document, draft-ietf-opes-smtp-security-00, I suggest
that the work in section 5 relate to Security Threats and Risks for
Open (RFC 3837) and state the additional risks and counter measures
that applies to the SMTP case.
RFC 3837 is one of our documents that is really application agnostic.
RFC 3914 was too much concentrating on HTTP, that is why this draft was
written to address the SMTP specific issues in regards to the IAB
considerations handled in RFC 3914.
The Security Considerations section of RFC 3914 is very short too.
Security issues introduced by SMTP/OPES must be handled in that draft
anyway.
I think that the security section (section 5) is weak and need to be
beefed up.
If you have some beef, I'd be happy to add :-)
I did not see clear next on how notifications are addressed.
I thought RFC 3914 discussed the relationship between IAB notifications
and OPES tracing in detail.
Do you think the SMTP case should handle notifications in an other way
than via tracing or should the draft re-discuss that relationship as it
was done in RFC 3914?
Martin