[Top] [All Lists]

Re: Requesting comments on draft-cheney-safe-02.txt

2009-08-01 07:06:04

At 11:20 30-07-2009, Cheney, Edward A SSG RES USAR USARC wrote:
I am requesting comments on the following this internet draft. Any questions, confusion, feedback, or changes would be helpful.

In the Introduction section:

  "SAFE Scripting Method has only two intended objectives:"

I cannot tell what "SAFE" is. That is not explained in the Introduction or in the following paragraphs.

The third requirement in the draft is for a certificate authority. That can be a hurdle in terms of adoption.

  "Allowing script execution in email is absolutely necessary to provide
   a minimal expectation of user experience and interaction, as well as
   promoting the advancement of data and commerce exchange."

Script execution in email has proven to be problematic. Although it is done on the server side, that does not reduce the risks as you still face the upgrade issue as the servers do not get updated that often. The proposal also assumes an "always-on" connectivity for the client.

Could you please explain what this proposal has to do with SMTP? The draft mentions "mail server". That term general encompasses several email-related protocols.

  "This is inherently a security centered document."

A security centered document generally has some security considerations. You could discuss the problem areas and how the security issues may be mitigated. BTW, don't think of security issues only in terms of where the code is running. Some of the plights of email is due to content.

Remove encryption and digital certificates from the model and determine what the threats are. Then think about how you would address them. You can use encryption and digital certificates then but you should spell out what they are being used for. Digital certificates by themselves do not have any credibility for some types of users.