Thanks for that Bron. I suspected there was a discussion about this topic in the WG, but that it simply wasn’t reflected in the I-D. For those of us who haven’t kept up, adding a little bit of that discussion into the introductory material would help a lot. Kind regards, -Peter From: Bron Gondwana <brong@xxxxxxxxxxxxxxxx> On Tue, Sep 7, 2021, at 17:00, Peter Yee via Datatracker wrote:
Thanks for the detailed review Peter! I'll leave the specific nits to Alexey as author. Good point with the "rationale for trusting the server". We did discuss this during the early meetings when this draft came up, and considered that this would most likely be used within an organisation which controls both the client and the server. JMAP is particularly well suited to very simple and light-weight clients. It's envisioned that JMAP clients may even be a simple widget which displays some details like mailbox counters or previews of the most recent few messages. By having the server side do S/MIME validation, a client can simply check a property to display an icon next to a preview without being a full S/MIME client. Obviously this isn't something you would do where you didn't trust the server absolutely! It seems reasonable to me to add some text that summarizes this understanding in the introduction, along with the existing "requires the client to trust server verification code" in the security considerations. Cheers, Bron. |
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
