On Nov 14, 2007, at 3:47 AM, John C Klensin wrote:
Dave,
I agree, and dislike this proposal for this (primarily) and other
reasons, including my usual problem of not liking to have to be
online to read and reply to messages (I'm reading this thread and
writing this answer at circa 30K feet over the Atlantic).
A minor change to the last sentence in the last paragraph of Section
3.2 should eliminate this concern. This sentence was added by John.
It made sense to specify how to employ this alternative, however it
also raised this concern, and possibly deprived recipients of content
filtering that really should be done by their provider. : )
3.2. TBR Transaction
...
,---
|As an alternative, instead of retrieving the replacement message
|content, it MAY prepend any additional trace headers to a
|notification sent to the recipient containing the eXAM-URI itself,
|along with any other appropriate information.
'___
Can be changed to:
,~~~
:An alternative notification containing the eXAM-URI and not the
:retrieved message content SHOULD NOT be used.
'~~~
But, in fairness to the proposal, the general idea has one
advantage. If one is concerned about source / originator identity
and authentication, having to make a real-time direct connection
back to the sender's repository permits thinking about much stronger
methods than, e.g., header signatures.
Header signatures represent yet another burden placed upon receiver
resources. Receiver side processes are being inundated by a rising
level of spam. The TBR method offers a means to shift the
authentication burden to the transmitter of the message, while also
providing the receiver a means to schedule and prioritize use of their
resources without incurring an obligation to issue problematic DSNs.
On the other hand, if we were willing to say "if you can't get email
unless you have stable end-to-end connectivity to the sender", one
could presumably get equally strong identification and
authentication with an enhanced SASL method and no new SMTP
extension protocol bits.
Without the TBR extension, point-to-point security would burden every
stage of delivery.
-Doug