RE: WG Last Call: draft-ietf-opes-smtp-security-00

["Stecher,Martin" <martin_stecher@xxxxxxxxxxxxxxxxxxx>]

> 
> 
> I am OK for alst call with the whole document except one 
> security related point.
> 
> section 4.
> I think that MUSTs should be replaced by SHOULDs.

This section 4 lists requirments for a
"SMTP Adaptation with Open Pluggable Edge Services (OPES)"
document.
There are four MUST requirements.

The first two are the MUST of an OPES system for OPES/SMTP to
add trace info.
This is in compliance with the application agnostic requirement
of RFC 3897 that OPES systems must add trace information.
RFC 4236 (OPES/HTTP) defines the same MUST.

I don't think we have an option to make this a SHOULD now.

The other two requirements define that the SMTP adaptation draft
must define these two bypass techniques.
It does not require that an OPES system must support these
techniques.

I can make this more obvious by writing:

   o  The OPES/SMTP specifications MUST define a bypass request option
      that can be included in mail messages

   o  The OPES/SMTP specifications MUST define a bypass request option
      as an extension for SMTP dialogs


> section 5.
> We should mention that there is a security problem of these 
> SHOULDs are not enforced.
> 
> The reason why is to permit OPES applications where there is 
> no trace on mails. In particular for reverse security reasons 
> (I do not want to disclose my protection strategy to protect it).
> jfc
> 


Martin