[Top] [All Lists]

Re: "for" clause on Received: header field

2007-04-30 13:28:41

John C Klensin wrote:

Whether one has a single address in a "for" clause or three,
the information disclosure risk is identical.

ACK.  My proposal to remove the Apparently-To section was a bad
plan.  You need something for the forward pointer to 7.2 in the
"for" section.

Rewriting 7.2 to address "for" issues instead of Apparently-To
could make sense, if it's not only me who missed that the "for"
can be a very similar problem.

IMO the concern that a "for" used only for one recipient could,
when absent, disclose the existence of one or more blind carbon
copies to receivers behind the same MX, is negligible compared
to a "for" disclosing directly one or all affected addresses.

And I'd still support Kari's proposal that at most one "for" as
in 82x is interesting enough, more than one can't be a good idea.