On 01/12/2015 12:27, Arnt Gulbrandsen wrote:
Ted Lemon answers Dave Crocker:
IMO an essential design benefit in many/most aspects of Internet
technologies is avoiding making any more global assumptions (or
requirements) than essential. "Deferring to the end systems" is a very
broad-based design requirement and it includes minimizing assumptions
about the transit infrastructure.
Sure, but in this case wouldn't deferring to the end systems argue in
favor of allowing end systems to make the decision as to whether
their private information should be exposed?
As I see it, that's not the question here. The question is: Should
there be an RFC that can be used/misused to apply pressure regarding
trace fields etc?
The issue isn't whether person X chooses to add trace fields. The
issue is whether person Y can shout at Z to not add or even mangle
trace fields, with support from a document that looks official,
substantial and authoritative, even though neither Y nor Z understand
the nuances of RFC statuses.
Once that document exists, then no one will add the trace fields,
because people are paranoid (often rightly so, but not, I believe, in
this case). They won't read the document fully. It may say 'you can
remove IP address information from trace headers, but should think long
and hard about it because doing so may come back to bite you and leaving
the information in has minimal risk unless you're so stupid you haven't
bothered with a firewall'. They'll get as far as the first comma, and stop.
To be honest, I'm (pleasantly) surprised IP address information is still
put in Received headers nowadays. IMHO, the fact that it is suggests
that there's a very good reason for it to stay there.
Many service providers and software publishers 'stretch' the rules
somewhat, so if this was a big problem without any down-sides, then IP
addresses would have disappeared from Received: headers some years ago.
If there were compatibility issues (eg some SMTP servers rejecting mail
without the IP address info there), then that would still be a problem
even if a new RFC comes out, unless SMTP is totally deprecated and a new
mail standard replaces it. If there are no compatibility issues with
removing the IP address, then why aren't most providers/systems already
removing it nowadays?
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp