[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-12-01 07:13:56
On 01/12/2015 12:27, Arnt Gulbrandsen wrote:
Ted Lemon answers Dave Crocker:
IMO an essential design benefit in many/most aspects of Internet
technologies is avoiding making any more global assumptions (or
requirements) than essential.  "Deferring to the end systems" is a very
broad-based design requirement and it includes minimizing assumptions
about the transit infrastructure.

Sure, but in this case wouldn't deferring to the end systems argue in favor of allowing end systems to make the decision as to whether their private information should be exposed?

As I see it, that's not the question here. The question is: Should there be an RFC that can be used/misused to apply pressure regarding trace fields etc?

The issue isn't whether person X chooses to add trace fields. The issue is whether person Y can shout at Z to not add or even mangle trace fields, with support from a document that looks official, substantial and authoritative, even though neither Y nor Z understand the nuances of RFC statuses.
Once that document exists, then no one will add the trace fields, because people are paranoid (often rightly so, but not, I believe, in this case). They won't read the document fully. It may say 'you can remove IP address information from trace headers, but should think long and hard about it because doing so may come back to bite you and leaving the information in has minimal risk unless you're so stupid you haven't bothered with a firewall'. They'll get as far as the first comma, and stop.

To be honest, I'm (pleasantly) surprised IP address information is still put in Received headers nowadays. IMHO, the fact that it is suggests that there's a very good reason for it to stay there.

Many service providers and software publishers 'stretch' the rules somewhat, so if this was a big problem without any down-sides, then IP addresses would have disappeared from Received: headers some years ago.

If there were compatibility issues (eg some SMTP servers rejecting mail without the IP address info there), then that would still be a problem even if a new RFC comes out, unless SMTP is totally deprecated and a new mail standard replaces it. If there are no compatibility issues with removing the IP address, then why aren't most providers/systems already removing it nowadays?

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>