There is a requirement for securing email that was sent as a result of a
mailto. When a mailto action is used in conjunction with an HTML form post,
most browsers support sending the input values in the body of the message as
a URL encoded string. However, they are always transmitted in plain text.
Current Microsoft email clients, conceal the data in an attachment where it
is not visible to the average user. Unfortunately, this only increases the
problem by giving some users the impression that the communication is
secure. What is needed is a way to encrypt these emails. Smime provides
the means for encryption, but to my knowledge does not provide a means to
evoke it during a mailto, or require it for all mailtos.
Many reading this might regard this as an HTML problem, because mailto has a
history in the HTML specification. But the need here is for a standard that
will be implemented into email clients, not browsers. Clicking on a mailto
invokes the user's default email client.
In RFC 2368 on the Mailto URL scheme, it defines a mailto syntax that
includes a list of mail headers as part of the query string of the URL. The
grammar is defined as follow:
mailtoURL = "mailto:"; [ to ] [ headers ]
to = #mailbox
headers = "?" header * ( "&" header )
header = hname "=" hvalue
One possible solution that would not require a change to the mailto
specification, is to define a mail header that would invoke encryption of
the message.
I am interested in this problem, because I have developed a gateway for
delivering fully formatted web pages by email. This service is used by low
bandwidth users around the world as their primary web access. Information
on this service can be found at http://emailweb.us
Sincerely yours,
Gary Griswold
1 Longfellow Place
#3019
Boston, MA 02114
617-694-6403