Re: "proper" handling of BCC

There are many angles to all this, including one that there is a majordifference in the types of MUAs, including in how it relates to theheaders, the managed "privacy" control required for blind copies, etc,and in regards to the "Inventor" of email, in that era he was using aONLINE MUA, not an store and forward, offline based MUA.

That is a major distinction in all this. In fact, if you go thefellows web site, there is sad and hilarious picture showing him infront of what appears to be a DEC VT100/102 terminal and the captionsays something to the effect

if you look carefully, you can see the clear From/To/BCC UIevidence of the

     new EMAIL system.

It was saying "huh?" I could even come close to seeing any readablecharacters or any fuzzy screen resolution whatsoever - but then againit could be my failing eyes.


Any hoo, for MUAs regardless of the network, gateway, etc:

o Online

The backend handles the separation when the frontend/GUI offers fieldsfor this. When the post (clicks the Post/Send button) is made, thebackend needs to handle the distribution for privacy requirementsbefore putting/moving them into system's mail transport outboundqueues and/or local storage user bins.


o Offline

The RFC-based offline MUA is responsible for separating the targetsbefore SMTP sending for the following reasons:

First, there is no current SMTP solution, such as "BCPT TO" statemachine command option, and second, there is no expectation for SMTPreceivers to parse for 822/2822/5322 headers to extract distributiontargets.

In all case, backend or offline MUA needs to make sure the separationfor the privacy requirements are met.

There is nothing more embarrassing, including legal, to have mistakesof exposing blind copies to the other non-blind recipients.



Robert A. Rosenberg wrote:

At 13:17 -0500 on 02/28/2012, Tony Hansen wrote about Re: "proper"handling of BCC:
I actually started writing such a doc about a year ago, but neverfinished it.
Is it worth dusting off?

    Tony Hansen

On 2/28/2012 12:24 PM, Dave Crocker wrote:
On 2/28/2012 9:11 AM, Paul Smith wrote:
OK, I was wrong - but I've never seen a BCC handled in that waybefore... I've sometimes received messages with a 'BCC' fieldcontaining addresses who were NOT me (ie I shouldn't have known theyexisted), and most MUAs I've seen (in fact, all those I'veinvestigated fully) just list those recipients in the envelope for asingle copy of the message. So, I've never seen a BCC field in amessage header, used 'correctly'.
We have never really standardized BCC as an end-to-end construct, atthe MUA-MUA level.
d/
Ways it can be handled is for the MUA to submit the BCC header to theMSA and have it remove the header while cloning the message to createone master and one copy for each BCC listing only the Address, have theMSA scan the To and CC assuming that any RCPT-TOs not there are BCCs anddo the cloning, OR add a BCC indicator to the RCPT-TO and do thecloning. Not that the first 2 alter the MSA while the last alters boththe MSA and MUA.
In any case there needs to be some way of indicating the BCC contents.Note that there needs to be a way of triggering the insertion/displayof the BCC listing only the recipient in the recipient's copy of themessage that WILL NOT get triggered by a normal Mailing List message.Options 1 and 3 above qualify since there is a indication to the MSA toclone the message with a BCC. Option 2 since it triggers via a mismatchbetween the To/CC contents and that of the RECPT-TO will be the problemsince there would be no difference to the MSA between a BCC and aMailing List generated message.
Note that I am just winging it and may be missing something and I amjust doing some design spec thoughts above.


--
Sincerely

Hector Santos
http://www.santronics.com
jabber: hector(_at_)jabber(_dot_)isdg(_dot_)net