The MIME-PEM interaction draft looks quite good, but how about the
following addition to the message delivery specification:
The message delivery mechanism must remove any Content-Annotation
header fields that exist prior to post-delivery processing. This
applies to all messages, not just those of Content-Type multipart/pem,
and recursively to all message parts. This is to ensure that
Content-Annotation header lines are only created by the local user
agent.
A related point: how about having the Content-Annotation header field
mention the privacy authority that added the line? That way when you
forwarded an authenticated message your authentication would be declared.
The above treatment of Content-Annotation would need to be modified
to remove header lines claiming your authority.
Finally, is the header name "Content-Annotation" appropriate for this
purpose? The term seems over-general (although perhaps you intend use
for other purposes?). How about "Privacy-Annotation:" or the more wordy
"Content-Privacy-Annotation".
Allan Schiffman &
Jay Weber
Enterprise Integration Techologies Corporation