Eric Rescorla wrote:
As I understand the situation, the sender the only person
who has to rely on the uniqueness of this header, right?
Hi, I have not the faintest idea what you are talking about,
but if it is in any way related to the 2822upd concept of
a Message-ID "worldwide unique forever" is no nonsense as
soon as a Message-ID passes mail2news gateways, and/or is
used in an Archived-At URL.
the Message-ID MUST be selected so that:
(1) There is a minimal chance of any two Message-IDs accidentally
colliding within the time period within which an IMDN might be
received.
That is apparently the definition for some UUID versions, but
not for a Message-ID as specified in RFC.ietf-usefor-usefor:
| The Message-ID header field contains a unique message identifier.
| Netnews is more dependent on message identifier uniqueness and fast
| comparison than Email is
[...]
| The global uniqueness requirement for <msg-id> in [RFC2822]
| is to be understood as applying across all protocols using
| such message identifiers, and across both Email and Netnews
| in particular.
(2) It is prohibitive for an attacker who has seen one or more
valid Message-IDs to generate additional valid Message-IDs.
That would match pseudo-random number, but a "worldwide unique
forever" Message-ID can boil down to timestamp @ domain (plus
magic to avoid collisions for various Message-ID generators
for a given domain or subdomain).
it is RECOMMENDED that Message-IDs be generated using a
cryptographically secure pseudorandom number generator
Please get the terminology right as first priority, what you
are talking about is apparently *NOT* an 2822upd Message-ID
as used in mail, news, APOP, and CRAM-MD5.
Frank
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf