Re: Evaluation: draft-vaudreuil-mdnbis - Message DispositionNotification to Draft Standard

[ned.freed@mrochek.com]

> In message <200304162025.QAA15673@ietf.org>, IESG Secretary writes:
> >
> >Last Call to expire on: 2002-12-23
> >
> >	Please return the full line with your position.
> >
> >                    Yes    No-Objection  Discuss *  Abstain
> >
> >
> >Steve Bellovin      [   ]     [   ]       [ X ]      [   ]

> This section:

>      The comparison of the addresses should be done using only the addr-
>      spec (local-part "@" domain) portion, excluding any phrase and route.
>      The comparison MUST be case-sensitive for the local-part and case-
>      insensitive for the domain part.

> has security implications -- a source-routed address is not necessarily
> the same as the absolute address with the same name.

Um, well, actually, we have been saying that it is supposed to be the same,
going back as far as RFC 1123. A source route is supposed to be merely a
routing indicator that may or may not even be honored, it is not supposed to be
a namespace qualifier.

While I've seen considerable unevenness in support for source routes over the
years, I can't recall a case where I found one being used to qualify addresses
as belonging to a separate namespace. (The same cannot be said of % hacks or !
paths, of course -- they were commonly used for that. And don't get me started
about X.400...)

I guess I have no real problem with noting this as a possible issue, but
I really think it is an entirely academic one at this point.

> More generally, there are privacy issues with MDN -- the recipient may
> not want the sender to know when he or she is receiving or reading
> email.  The draft implicitly recognizes that, in the rules requiring
> explicit consent for MDNs.  That broader issue isn't mentioned in the
> Security Considerations, and should be -- my example is just one
> instance of a privacy problem.

OK, I'll if I can't work up some text.

					Ned