ietf-smtp
[Top] [All Lists]

Re: RFC 5321bis / 2821ter

2009-01-30 12:29:43



--On Friday, January 30, 2009 17:19 +0100 Alessandro Vesely
<vesely(_at_)tana(_dot_)it> wrote:

...
It depends on _exactly_ how you define "SMTP relay".  If it 
includes submission servers, the same privacy arguments that 
have been applied to senders would apply to it too.

I beg to differ. As a postmaster, I may grant anonymity to my
users. For example, I may suppress identification in the
Received header. Thus, I can be readily identifiable, e.g. via
whois information, while my users can send anonymously by
altering their From header. Note that their anonymity is only
granted until a judge will want to investigate my logs. (Since
2005, the Italian law forces "operators" to keep logs of mail
transactions for some months; in the UK, they've been
discussing this recently --it's an EU anti-terrorism
determination.)

And that is _exactly_ the point.  Perhaps you have never had
judges in Italy who would violate legal requirements to obtain
information about an anonymous mail message that criticized one
of their friends or relatives, or other types of officials who
would attempt to obtain that information from you even though
they are not legally entitled to it, but there have been ample
experiences with both in other parts of the world.   If you are
concerned about privacy as a primary objective, you probably
don't want to actually know who your users are, even if you
might want to establish credentialing systems to be able to
identify whether one is the same from one message to the next.

Obviously, that strong a position about privacy protection is
caught in a tradeoff against legitimate state interests in
tracing criminals and terrorists.   In particular circumstances,
that tradeoff may work out exactly as you describe -- the relay
(or submission server) knows the identities of its users but
hides those identities from the outside world unless confronted
with a legitimate order from a legitimate authority.   But the
differences, and the potential situations in which strong
anonymity and privacy are really important, demonstrates to me
that those decisions should be local and operational matters,
not something wired into the protocol.

So, if you say "this is how it works in my jurisdiction and the
protocol must not get in my way of providing service while
tracking my users", I think that is fine.  If you suggest that
the protocol and its supporting arrangements must be constructed
so that anonymity of a submission server or relay becomes
impossible, then I believe that is too much of a political
decision influencing a protocol one.

Not being an anonymous operator involves choosing an ISP that
does reverse DNS delegations, and registering a domain
directly rather than   through a whois-privacy-enhanced
registrar. The first step is not always possible, which is why
we had that discussion on submission identifiers. The second
step is the rule, AFAIK. Although I know that whois queries on
each incoming message would not be tolerated, what I meant to
ask is whether the recognizability implied by the EHLO command
is meant, from an ethical POV, to reject anonymous relays.

Thank you for finally clarifying what you (and probably others)
meant by "non-anonymous operator" and "verifiable domain name".
My personal opinion and answer to your question is that, from a
protocol standpoint, it is undesirable to try to require a
higher standard for the EHLO argument that resolvability of the
domain name -- resolvability to _something_.  The status of the
domain registration, whether it is "privacy enhanced" or not,
etc., are reasonable matters for local policy, but not for the
SMTP protocol.

 The ability 
to close down or restrict traffic from servers that support 
anonymous senders is equivalent to the ability to shut the 
anonymous senders down.

I don't think I know what you mean. Formally, I cannot know if
an SMTP server supports anonymous senders.

"Formally" has little to do with this, as the discussion above
should show.  If someone can notice that you are supporting
anonymous senders (typically an operational or political
determination, not a protocol one) and make you disclose their
identities with penalties including being shut down if you do
not, then there is no operational anonymity at least vis-a-vis
whomever can compel you in that way.

     john

<Prev in Thread] Current Thread [Next in Thread>