ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-smtp] Good to see new list, comments about the "purpose"

2020-07-29 11:16:14
from [Michael Peddemors] [Permanent Link]
I believe this is an opportunity, and the BOF should consider that the working group's mandate be extended larger than originally suggested.
As pointed out previously on other threads, having a working group that covers the whole email core, would enable this working group to tackle more wide ranging email problems, that are important to the internet community.
For example, the current conversation in the ietf-smtp mailing list, there are discussions about permitted labels' in email, that should properly encompass IMAP usage as well, same goes for the conversations about SSL vs STARTTLS, applies to both SMTP and IMAP.
Having a standing WG that can address issues across the whole email ecosystem makes sense. 

And if that is true, again I purport the new WG could then take on:

https://tools.ietf.org/html/draft-yu-imap-client-id-04
https://tools.ietf.org/html/draft-storey-smtp-client-id-09

*Comments Welcome*

Someone (Dave) suggested we use a standardized template.


Item:        { Reference-name }

Issue:       { Concise description of problem, concern, or the like }

Effect:      { What significant effect(s) is this issue producing? }

Validation:  { Document the basis for the claimed effect }

Item: CLIENTID
Issue: Traditional IMAP/SMTP protocols are no longer sufficient for modern day threat protection, especially when it concerns traditional email and password authentication. Malicious bots and attacks, and data breaches have made world wide users of email vulnerable to email account takeovers. Password replay attacks, dictionary attacks, password reuse, and weak passwords are a very real and persistent threat. Hacked email accounts are no longer just used to send spam, threat actors now use it for data exfiltration, spear phishing, deploying ransomware, and the takeover of cloud services, where the email address controls access, such as banking information, cloud services, domain name takeovers, impersonation, as well as access to sensitive information in email mail repositories, contacts, and other related information.
Effect: Adding CLIENTID to the base IMAP/SMTP protocols allow for ACL's and/or controls to only allow authentication to approved devices, and/or classes of devices, preventing password reuse/guessing attacks, which currently are attributed to be the major source of email compromise. This technology can be deployed transparently to the end user(s).
Validation: The CLIENTID extensions are already in wide spread use, across multiple email servers, and multiple email clients, and it's use detects and prevents > 99% of all such attacks against CLIENTID enabled email accounts.
As this is already becoming a standard across multiple vendors. and it's efficacy is proven, this would be the time to ratify the implementation standards. For those that aren't aware, it's in public use in MagicMail and MailEnable servers, and it is supported in emClient, SaneBox, BlueMail, Thunderbird, and many other email client libraries.
I believe the IETF supports enshrining in RFC's standards that are already being adopted in the wild. And we are still looking for an official home for this, and the working group to take it on. 


--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-smtp] New mailing list for EMAILCORE effort, Alexey Melnikov
Next by Date:  Re: [ietf-smtp] Good to see new list, comments about the "purpose", Dave Crocker
Previous by Thread:  [ietf-smtp] New mailing list for EMAILCORE effort, Alexey Melnikov
Next by Thread:  Re: [ietf-smtp] Good to see new list, comments about the "purpose", Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]