[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-vaudreuil-mdnbis - Message Disposition Notification to Draft Standard
- To: IESG Secretary <iesg-secretary@ietf.org>
- Subject: Re: Evaluation: draft-vaudreuil-mdnbis - Message Disposition Notification to Draft Standard
- From: "Steven M. Bellovin" <smb@research.att.com>
- Date: Mon, 28 Apr 2003 16:02:07 -0400
- Cc: Internet Engineering Steering Group <iesg@ietf.org>
In message <200304162025.QAA15673@ietf.org>, IESG Secretary writes:
>
>Last Call to expire on: 2002-12-23
>
> Please return the full line with your position.
>
> Yes No-Objection Discuss * Abstain
>
>
>Steve Bellovin [ ] [ ] [ X ] [ ]
This section:
The comparison of the addresses should be done using only the addr-
spec (local-part "@" domain) portion, excluding any phrase and route.
The comparison MUST be case-sensitive for the local-part and case-
insensitive for the domain part.
has security implications -- a source-routed address is not necessarily
the same as the absolute address with the same name.
More generally, there are privacy issues with MDN -- the recipient may
not want the sender to know when he or she is receiving or reading
email. The draft implicitly recognizes that, in the rules requiring
explicit consent for MDNs. That broader issue isn't mentioned in the
Security Considerations, and should be -- my example is just one
instance of a privacy problem.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)