[Top] [All Lists]

Re: making mail traceable

2004-01-17 13:51:13

On Fri, 16 Jan 2004, Keith Moore wrote:

    > Doesn't RFC1847 (security multiparts) already provide both of these, or
    > at least the framework sans the actual algorithm?

    Only if everyone's user agents treated a security multipart
    containing a message semantically the same as they would the
    original message.

Sure, so your primary concern is that the use of security multiparts
would be a less backwards compatible change than a change to the
Received syntax or adding a new header.

    >     - A way to ensure that messages get tagged with originator-id when
    > they
    >     are injected into the mail systems
    > I agree in principle, I think.  But couldn't a Received already provide
    > this information if everyone would just do it, i.e., it's optional now?

    The two are fairly different.  You want to capture the originator-id at
    submission time, not at every hop.  And you need protocol elements that
    Received (not being extensible) cannot convey.  To me it makes more
    sense to start from whole cloth.

I agree with the principle.  As to whether it's in a Received header or
in something different I also agree with Dave Crocker's point that we
really need to examine what we want to capture before we can know for
sure where to put it.

    >     - If you really wanted to, you could augment Received or add a new
    >     trace field that recomputed the hash at each hop (to show if and
    > where
    >     the message was corrupted in transport)
    > Why would you forward a message that was discovered to be corrupted?

    Probably because the message might have been corrupted in a way that
    makes the hash invalid without actually changing the content of the
    message.  Something tells me it will be difficult to write a
    canonicalization function that accommodates all of the various kinds of
    message and header munging that is out there.

I can imagine it might be a local policy preference for all messages to
be examined by a person instead of rejecting it if the hash validation
fails.  However, it should be the case that except for human review the
message is rejected (for whatever we decide rejection means).  There may
be some edge cases where broken mailers do really obscure things to
messages to break the hash, but either you are doing security right or
you don't do it.

    > I'm sorry but I just don't see what you have in mind that is worse than
    > it is today,

    Given the apparent aspirations of the current occupant of the US White
    House, things could get far, far worse than they are now.  I'd far
    rather have spammers than Big Brother George any day.

    > Can you please elaborate on the "mass surveillance" you fear?

    Have you read the Patriot Act lately?

    Okay, I'll be more specific.    If every message has an originator-id
    tag that can be traced to the origin, it becomes fairly simple for the
    US Government to insist that all US ISPs (and perhaps, all foreign ISPs
    peering with US ISPs) give them a list of mappings from tags to more
    recognizable identifiers (such as credit card #s), or that the ISPs
    generate tags in such a way that the USG can simply decrypt them to
    obtain those identifiers.  Given the kind of stuff that is already
    authorized by existing laws, (and if not authorized, obtained by
    coercion of various kinds) this isn't much of a stretch.  And everybody
    knows that terrorists use email...

    Anyway, the reason my proposal allows originator-ids to be ephemeral is
    to make it hard for ordinary people to track messages - I believe
    anonymous speech is important - and also out of recognition that
    spammers can probably get ephemeral accounts anyway.

My point is that we are not that from this already.  To stretch the
example to the extreme, the US Government could make a law that ISPs
have to make sure they can map a From: email address to an actual person
before accepting submission of a message (in the US of course).  Why do
we need a special identifier?

And as you suggest, anonymity is achieved by using a throw-away account
with one of the free providers.  We just need to know that we can filter
on such origins if we don't want "trust" or otherwise want them.