ietf
[Top] [All Lists]

Re: Last Call: <draft-ietf-yam-rfc4409bis-02.txt> (Message Submission

2011-08-18 10:34:50
Hi Martin,
At 14:01 16-08-2011, Martin Rex wrote:
Security-wise, the SRV record suggested by rfc6196 seems to create
additional security problems, so I would also not like to see it being
"adopted" as is.  :-/

The YAM working group participants did not point to any security problem in RFC 6186. A reading of the YAM mailing list archive would make it clear that nobody disliked RFC 6186. There was a pre-evaluation of RFC 4409 (see draft-ietf-yam-4409bis-submit-pre-evaluation-00). As there seem to be some confusion when the term "downref" is mentioned, I'll put the question as follows:

  Could the reference for RFC 6186 be mentioned in
  draft-ietf-yam-4409bis-submit-pre-evaluation-00?

If the above question is too stringent, let's try a simpler one:

  Is there any documentation about implementations of RFC 6186?

Given that nobody came forward to point to any documentation, there wasn't any reason to spend more time on the question.

While I fully agree that it is sensible to relegate (and fix) the
authentication to a different document, I currently see this:

http://tools.ietf.org/html/draft-ietf-yam-rfc4409bis-02#section-7

   | AUTH             | Authentication   |    MUST   | [SMTP-AUTH]     |


And it somehow feels wrong to exhibit an ostrich-like behaviour about
the current mess around SMTP-AUTH in the security considerations section.

RFC 4954 is authoritative for SMTP AUTH. If there is a mess around SMTP AUTH and it has to be fixed, the best place to do so is in a revision of RFC 4954. This draft is more about the separation of submission and relay of messages.

I believe it would be sensible to describe the desired authentication model
for MUA->MTA in more detail, beyond the mere reference of [SMTP-AUTH]
in section 4.3 of the current document:

The intent is to publish the document as a Full Standard. As much as it may be sensible to describe the desired authentication model, it had to be shown that changes would contribute in a substantial and substantive way to the quality and comprehensibility of the specification as that was the guideline given to working group participants. If you would like to recommend additional text, I suggest sending a message to the YAM mailing list.

If there are any questions that have not addressed to your satisfaction, please let me know so that I can bring it to the attention of the working group.

Regards,
S. Moonesamy
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf