IETF Logo Mail Archive

Re: [perpass] draft-josefsson-email-received-privacy

Simon Josefsson <simon@josefsson.org> Mon, 26 October 2015 08:35 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723BC1B38E1 for <perpass@ietfa.amsl.com>; Mon, 26 Oct 2015 01:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2UH-mnz3CkS for <perpass@ietfa.amsl.com>; Mon, 26 Oct 2015 01:35:35 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8826D1B38E0 for <perpass@ietf.org>; Mon, 26 Oct 2015 01:35:35 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t9Q8ZNoP015061 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 26 Oct 2015 09:35:24 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Christian Huitema <huitema@huitema.net>
References: <871tcl3f03.fsf@latte.josefsson.org> <20151024224621.15562.qmail@ary.lan> <0c5701d10f8f$882e4a10$988ade30$@huitema.net>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151026:johnl@taugh.com::Srlxb2NuE/MclTSp:3DQl
X-Hashcash: 1:22:151026:perpass@ietf.org::d9eUJRmLgDMWooAt:9q+C
X-Hashcash: 1:22:151026:huitema@huitema.net::Pyl/KNT90XO/v/3o:MF5C
Date: Mon, 26 Oct 2015 09:35:22 +0100
In-Reply-To: <0c5701d10f8f$882e4a10$988ade30$@huitema.net> (Christian Huitema's message of "Sun, 25 Oct 2015 18:42:09 -0700")
Message-ID: <87pp02rprp.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/perpass/N7NLHc2KYGlDfNqpZl5wYqFOcSI>
Cc: perpass@ietf.org, 'John Levine' <johnl@taugh.com>
Subject: Re: [perpass] draft-josefsson-email-received-privacy
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2015 08:35:37 -0000

"Christian Huitema" <huitema@huitema.net> writes:

> On Saturday, October 24, 2015 3:46 PM, John Levine wrote:
>> ...
>> My suggestion would be to start by finding people who have experience
>> in large mail systems (Ned would be a good start if he has the time),
>> and then state clearly what you're trying to do.  It looks like it's
>> identifying and minimizing the amount of PII collected, reported (to
>> downstream consumers), and logged (for internal users) for incoming
>> mail.  Once you've done that, it'd be quite interesting to try and see
>> what gets collected, and what the tradeoffs are if you don't collect
>> it or don't report or log it.
>
> That sounds like a reasonable plan. Let's start, then. What about having
> interested parties meet at a bar in Yokohama, say Monday evening, and start
> drafting the first solution? I would be happy to pay the first round of
> drinks, if that speeds up consensus...

Sounds like a good idea, thanks for suggesting it.  I'm hoping Linus
will be able to make it since I won't be there.

I am concerned about taking on a too wide scope.  I think it may be
possible to reach closure on improving the Received header wrt privacy.
I'm not against taking on the larger problems mentioned above, however I
feel that it should not stand in the way of progress of fixing some
identified problems of the Received header, and I worry that a wider
task may not reach closure.

To have a starting point for a problem statement for what I'd like to
focus on, the Received header, I would propose:

1) The Problem: SMTP agents add IP addresses and timestamp information
   about its clients in the Received header, in a way that clients
   aren't able to influence.

2) Deployment Consideration: Received headers are useful for mail loop
   detection and debugging by humans, and must continue to serve that
   purpose as good possible, so as long as it doesn't violate the
   privacy problem identified in 1).

3) Work-together Consideration: If there are deployment of related ideas
   already, we want to follow and describe them as long as it solves the
   problem in 1) and retain the useful properties in 2).

4) Simplicity: Pick the simplest solution that meets the requirements.

I'd like to get away from the focus on SMTP submissions, the privacy
violation affects all SMTP relaying.  Submission may be the most
critical part, but there are other situations when you don't want your
client's IP address or time of communication to leak.

/Simon

v2.23.0 | Report a Bug | By Email