ietf-smime
[Top] [All Lists]

Re: sender-auth and ira

2001-10-26 08:27:06

Peter:

I will respond to your comment in the ira document. I will let Don Davis respond to the other comments.

Section 3.0 sentence 2 and 3 should be moved to the end of the section
where one talks about usage in the context of S/MIME.

Or, a better separation of the definition of this attribut and its
usage in an S/MIME context should be made.

I am pleased to move it to the end of the section.

I am not sure whether I support not including BCCs. This should go
into a security consideration section. The problem is similar of
what happens in standard bcc: processing. It is up to the sending
system to create separate messages which may for example include
one bcc: header for each of the recipients.. similar for S/MIME
envelopes for BCCs, ...

The whole point of BCC recipients is to keep their identities from other recipients. If you are going to list them, then they are readily exposed. I do not think that we should introduce this leak.

The update to MSG should address BCC in the broader context.

Anyway, a possible and cost intensive solution is to have separate
copies with bccs, signed individually, etc. why should one exclude
this.

Yes, there is a cost. Again, BCC should be further addressed in the update to MSG.

Russ

<Prev in Thread] Current Thread [Next in Thread>