At 04:33 PM 5/18/98 -0700, Jim Schaad (Exchange) wrote:
If you are suggesting that this is a matter of local policy, it is my belief
that most clients will never encrypt a secure receipt back. I am not sure
that this is better than over encrypting.
Jim, this is a great arguments against making a SHOULD. A SHOULD should
only be included if there is a strong reason why an implementation should
do it one way. I agree with you, that it is unclear; thus, there should be
a mention, and not a SHOULD.
Would adding a statement that it
should be done unless local policy says otherwise be ok?
That's a tautology: the latter clause is exactly what SHOULD means. I am in
favor of adding a sentence or two that says something along the line of "An
unencrypted receipt of an encrypted message may expose information from the
original message. The responder should consider this when deciding whether
or not to encrypt the receipt."
On point 2 I was really asking about expectation rather than about what is
permitted/prohibitted. I agree that the current state of non-prohibition
should remain, I was just asking if people thought that SMimeCapabilities is
expected in a signed receipt message.
It is definitely permitted. I do not think it should be expected, due
exactly to the concern in your original message: unneeded bloat. Is user A
expected to remember to whom she sent her SMIMECapabilities? Adding it to
every receipt is a waste of bandwidth for every instance after the first
(until they are changed).
--Paul Hoffman, Director
--Internet Mail Consortium