ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] [dmarc-ietf] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts

2016-11-16 14:15:36
On Thu, Nov 17, 2016 at 3:47 AM, Alessandro Vesely <vesely(_at_)tana(_dot_)it> 
wrote:


That way it will stay dormant until someone gets hurt and has to activate
it, at which time it may cause more damage than improvement.  A loose
cannon.


The document makes that risk clear, or so I thought.


You mean Section 5?


Yes.



Finally, if you stick to one recipient per message, why do you rack your
brains about encryption?  I suggest adding a Disclosed-BCC: header field
with the recipient address in the same 5322.address-list cleartext format
as the other address fields, and sign it FWIW.  It won't break more
privacy
than Delivered-To: does.


I don't follow.  There's no additional encryption going on here.


I mean the SHA transformation.  Cleartext is obviously easier to
understand and debug.


I wouldn't say a salted hash qualifies as "racking my brains".  The idea is
to make it difficult to see who the envelope recipient is simply by
looking.  A one-way transformation forces an interloper to make guesses and
try to confirm, and the salt guarantees that your email address does not
always hash to the same thing.  It's not perfect security by any means, but
it's a cheap way to limit what gets leaked.  This too is spelled out in
Section 7.



Adding a "Disclosed-BCC" field guarantees disclosure, rather than only
disclosing if the MDA adds a Delivered-To.  I don't think we should make
that worse.


So long as you disclose it to the very recipient, there is no worry.  NDNs
customarily report SMTP chit-chat in cleartext, betraying users who attempt
to hide their real address behind a dot-forward.  Log files are plenty of
envelope citations.  Received: fields feature a FOR clause which is not
deprecated for single recipient messages.  We're not worsening anything.


If you hand me a printed copy of a message without the envelope, and the
Received didn't use the (non-standard) "for" clause, I cannot be certain it
was delivered to whatever the To and Cc say, if they're even present.  It
may have gone only to an envelope recipient that isn't visible.  That is,
if there was a Bcc, it's not revealed to me.  If you insist on using "for"
or "Disclosed-Bcc", that information is guaranteed to be exposed, and I can
see who that secret recipient was.

By contrast, including these tags at most reveals to me that there was a
Bcc, but I have to do some complex (though these days, cheap) math to guess
whether a specific address was in there.  If I never make the correct
guess, the secret is never revealed.

-MSK
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
<Prev in Thread] Current Thread [Next in Thread>