Noting that SM and Paul Smith have made comments about the UI
and threat model problems that parallel mine, I won't repeat
myself about that. But one additional observation that I should
have included earlier:
--On Wednesday, October 16, 2013 10:30 -0700 Wei Chuang
I do like the idea of using several tiers - but also wonder
what the implications will be when you demand tier 2 or
higher and I can only provide tier 1 security. Won't this
just mean emails get bounced all over the Internet?
It will mean that there will be more bounced mail. But I
would argue that this is what the user desired as described
In general, the only thing that users (a distinct from very
technical and knowledgeable people who also use email) desire is
that the mail go through. They may also desire that it go
through securely and privately but, if one gets down to "if that
can't happen, what general policy would you prefer", most of
them will tune out and most of those who don't will tell you
that it differs case by case and then get impatient if you make
them specify per-message options.
Most of them will also tell you that, if the message doesn't get
delivered (that is part of "mail goes through"), they want an
absolute guarantee that they find out about it rather than
assuming the recipient got a message that recipient never saw.
That is where things get really hard because we have moved into
a world in which concern about blowback attacks causes a lot of
mail to be discarded rather than bounced back to the originator.
It seems to me that you can't control that behavior. At least I
didn't find anything in the current draft that addresses it.
It would be interesting if a server that advertises MSMD or a
client that requested it would be required to guarantee to
actually generate and transmit bounce messages rather than
discarding bad mail, but I haven't attempted to do enough case
analysis to guess whether that would be effective.
Given where you and your colleagues work, it may be appropriate
to note that, empirically, gmail is one of the systems that
cannot be relied upon to generate and deliver NDNs.
With the current spec as I understand it, you can continue to
say "bounce", since that is what you intend but, in thinking
about the protocol, you should understand every instance of
"user gets a bounce message" as "user gets a bounce message
unless that notification is discarded or disappears, which will
happen sometimes for no obvious reason".
ietf-smtp mailing list