The Purple Streak, Hilarie Orman wrote:
There is an obvious slippery slope adjacent to modification of email
content. With HTTP, the information is usually meant for many
recipients (anyone who asks). For SMTP, it is frequently
individual-to-individual, and privacy concerns are paramount. I'd
argue that a very high standard of privacy and integrity protection
should accompany any venture into this area. We need at the minimum a
document on "security and integrity guidelines for OPES SMTP
services".
While I'm the last one to endorse unauthorized modification of email
(I actually have to live with it every day), I stopped assuming that
email is private a long time ago - at least from a technical
perspective, not a legal one. When I want an email to be private, I
encrypt it. OPES cannot fix existing privacy problems, but it should
also not worsen them. I assume that's what you meant?
HTTP information is increasingly personalized, i.e. no longer
necessarily meant for many recipients. Privacy conerns in this context
can be solved by offering delivery of content via https - just as
emails can be encrypted.
Do we expect that "security and integrity guidelines for OPES SMTP
services" will be fundamentally different from the ones for HTTP, or
would it make sense to cover them in the "Security Considerations" of
the SMTP-related protocol drafts?
-Markus