I could not agree more -- prohibition or control of actions requested (or
implied) by the content of messages is not something we should be dealing
with here.
Consider:
(1) Plain text can be dangerous. I recently had to replace the terminal on my
desk at home. As it happens, I got a surplus terminal that came from some
financial services house. It arrived with user function keys unlocked and
both downloadable and triggerable remotely. The answerback was both
downloadable and triggerable. I figure anyone could trojan horse me with
about 2000 characters of their own choosing via a message containing the
right control sequences. The UA I use won't display them, but if the
file was labelled "type to see a pretty display" even I might be tempted to
do so without checking it first.
So let's eliminate all but printable ASCII characters, since anything else
is potentially dangerous? I think not!
(2) PostScript not only can be dangerous, it often is. PostScript has file
operators more than powerful enough to cause significant damage, and Level
II PostScript is much worse. Do _you_ check the contents of the PostScript
files you receive, or do you count on your PostScript interpreter to do
this sort of thing for you?
PostScript is dangerous. Get rid of it.
(3) A recent proof in the Math Monthly showed that there is no way to check a
piece of virus detection software to make sure it is itself free of virii.
This is a proof via a construction that reduces to the halting problem.
Any sort of system software is very dangerous. It cannot be sent.
(4) There was a lot of talk about how archives can be rendered safe by forcing
restoration to a point in a directory tree. I hate to rain on anyone's
parade here, but not all operating systems have tree-oriented directories
to make this work! This handy little trick does NOT generalize, and is NOT
a useful thing to mandate in a standard since it is unimplementable in
general.
Archive formats are dangerous. Out out out.
(5) Many interpreted languages provide a shell escape mechanism, and as such
are a gaping security hole. Compiled languages are no better since most
of them have file operators.
Bye bye to everything but magicmail.
It is late and I'm being a little silly, but no sillier than some of the
other postings today.
You don't get security by elimination of functionality. You get it by
authentication. If you want secure e-mail, use PEM.
Then, at least, you'll know who did it to you.
Ned