ietf
[Top] [All Lists]

Re: Gen-ART LC review of draft-ietf-lemonade-streaming-09

2009-03-10 08:14:11
Hi, Neil,

Thanks for the quick response (so I can still remember writing the review :-)...

Deleting stuff we agree on - I think my suggestion here

3.8.  Media Server Use of IMAP Server

 If the media server is configured as an authorized user of the IMAP
 server, it SHOULD authenticate to the IMAP server using the
 credentials for that user.  This document does not go into the
 details of IMAP authentication, but the authentication SHOULD NOT use
 the LOGIN command over a non-encrypted communication path.

Spencer (minor, because I'm not your security reviewer): I'm struggling why this last statement is SHOULD NOT with no qualifications... if you tell me that this is normal practice in the e-mail community, I'll be quiet, but this would worry me if I saw it happening.

You're right, I actually took this verbatim from an earlier version of the IMAP URL RFC, but I notice the latest version has removed this text. There is no particular need for it in this doc either, as the base IMAP RFCs cover the perils of using non-encrypted communication channels adequately enough, and as such it's not a security concern of this doc. So I lean towards removing the sentence completely, or simply lowercasing the SHOULD NOT.

is removing the sentence.

My biggest concern was whether the media server might be configured with MY IMAP credentials, and might decide it was a good idea to send MY IMAP credentials "in the clear". If that's possible, I'd hope for MUST NOT, but you're probably saying that this spec is not the right place to fight the battle of clear-text security credentials, even for IMAP, and I can see that being the case.

Thanks,

Spencer

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf