At 10:34 AM -0800 12/17/01, Hallam-Baker, Phillip wrote:
One of the ongoing problems with people using PGP
Or S/MIME, which is the topic of this mailing list :-)
is that people put
confidential information in the mail subject lines, eg:
Subject: Proposed purchase of Excite(_at_)Home
Subject: Your STD test results
Subject: Planned head count reduction
So over the years there have been plenty of fixes involving CMS encrypted
attributes etc. which gets into the rat hole of what other headers to add
Just to be clear: you are talking about leaking headers in
*encrypted* messages, not signed messages, I assume.
So instead of that how about the following fix:
1) A Best Current Practice Draft that says
2) Clients SHOULD offer users the option of replacing the subject line on
confidential messages and carrying the subject as the first line in the body
of the message.
A few thoughts:
1) That only covers the subject; you might want to cover other
headers that have valuable information.
2) That prevents the headers from being automatically processed.
Instead, how about encouraging the use of multipart/mixed which
starts with text/rfc822-headers. Any headers in that first part are
to replace the same headers on display only.
--Paul Hoffman, Director
--Internet Mail Consortium