On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
There are users for whom their privacy is critically important, such
as press informants in totalitarian societies. There are many other
ways to determine their location (network monitoring coupled with
a STARTTLS downgrade attack, for one), and it would be harmful
(potentially life-threatening) if anyone thought that this would truly
protect them. They should be using something like SecureDrop and
not using email at all.
Uh, No. This is the classic "the other side of the boat is leaking too"
argument, coupled with a dollop of "no security is better than imperfect
security." Yes, there are many ways for metadata to leak. But that does not
mean that we should not plugs the leaks that we do know about.
The discussion so far shows that one hand many people believe that we are
disclosing too much metadata in mail headers, while many more believe that
the metadata disclosure is actually useful to fight various forms of abuse,
some of which may well compromise users' privacy.
We also heard that some of the big providers have already unilaterally
decided to suppress some of the metadata, like the first hop address. So we
have at least one data point showing that not all metadata needs to be
The "submission" hop may be a special case, but as Jim points out, mailing
lists may well another special case, for which some guidance would be
The concern about topology disclosure may or may not justify pruning some of
In short, it appears that there is enough concern and enough uncertainty to
justify working at least on an analysis document, and depending on the
outcome on a best practice document. Let's have this debate, and let's make
some progress on email privacy.
-- Christian Huitema
ietf-smtp mailing list