[Top] [All Lists]

Re: SMTP Transferred-By-Reference

2007-11-14 11:46:57

On Nov 14, 2007, at 3:47 AM, John C Klensin wrote:


I agree, and dislike this proposal for this (primarily) and other reasons, including my usual problem of not liking to have to be online to read and reply to messages (I'm reading this thread and writing this answer at circa 30K feet over the Atlantic).

A minor change to the last sentence in the last paragraph of Section 3.2 should eliminate this concern. This sentence was added by John. It made sense to specify how to employ this alternative, however it also raised this concern, and possibly deprived recipients of content filtering that really should be done by their provider. : )

3.2.  TBR Transaction

|As an alternative, instead of retrieving the replacement message
|content, it MAY prepend any additional trace headers to a
|notification sent to the recipient containing the eXAM-URI itself,
|along with any other appropriate information.

Can be changed to:

:An alternative notification containing the eXAM-URI and not the
:retrieved message content SHOULD NOT be used.

But, in fairness to the proposal, the general idea has one advantage. If one is concerned about source / originator identity and authentication, having to make a real-time direct connection back to the sender's repository permits thinking about much stronger methods than, e.g., header signatures.

Header signatures represent yet another burden placed upon receiver resources. Receiver side processes are being inundated by a rising level of spam. The TBR method offers a means to shift the authentication burden to the transmitter of the message, while also providing the receiver a means to schedule and prioritize use of their resources without incurring an obligation to issue problematic DSNs.

On the other hand, if we were willing to say "if you can't get email unless you have stable end-to-end connectivity to the sender", one could presumably get equally strong identification and authentication with an enhanced SASL method and no new SMTP extension protocol bits.

Without the TBR extension, point-to-point security would burden every stage of delivery.