Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

"Christian Huitema" <> Mon, 30 November 2015 01:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BBBCE1B3D5A for <>; Sun, 29 Nov 2015 17:02:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W1ThJwjKTwni for <>; Sun, 29 Nov 2015 17:02:27 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 672911B3D57 for <>; Sun, 29 Nov 2015 17:02:27 -0800 (PST)
Received: from [] ( by with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <>) id 1a3CrJ-0006v3-8v for; Sun, 29 Nov 2015 20:02:26 -0500
Received: (qmail 29163 invoked from network); 30 Nov 2015 01:02:24 -0000
Received: from unknown (HELO huitema1) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 30 Nov 2015 01:02:23 -0000
From: "Christian Huitema" <>
To: "'Jim Fenton'" <>, <>, <>
References: <alpine.OSX.2.11.1511282155180.1479@ary.lan> <> <Eoqbyz/axxwfm7I0m8X7QOm53qcBtCJIuS/> <> <> <>
In-Reply-To: <>
Date: Sun, 29 Nov 2015 15:02:57 -1000
Message-ID: <015801d12b0a$dc8731d0$95959570$>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQDViSzVEAomjdiWLJi2G+4e/BH4eQBMFf/cAsRad00CzkP00wJ+WwCBAQ2ZiU2gX6mjYA==
Content-Language: en-us
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 01:02:28 -0000

On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
> There are users for whom their privacy is critically important, such 
> as press informants in totalitarian societies. There are many other 
> ways to determine their location (network monitoring coupled with 
> a STARTTLS downgrade attack, for one), and it would be harmful 
> (potentially life-threatening) if anyone thought that this would truly 
> protect them. They should be using something like SecureDrop and 
> not using email at all.

Uh, No. This is the classic "the other side of the boat is leaking too"
argument, coupled with a dollop of "no security is better than imperfect
security." Yes, there are many ways for metadata to leak. But that does not
mean that we should not plugs the leaks that we do know about.

The discussion so far shows that one hand many people believe that we are
disclosing too much metadata in mail headers, while many more believe that
the metadata disclosure is actually useful to fight various forms of abuse,
some of which may well compromise users' privacy. 

We also heard that some of the big providers have already unilaterally
decided to suppress some of the metadata, like the first hop address. So we
have at least one data point showing that not all metadata needs to be

The "submission" hop may be a special case, but as Jim points out, mailing
lists may well another special case, for which some guidance would be

The concern about topology disclosure may or may not justify pruning some of
the metadata.

In short, it appears that there is enough concern and enough uncertainty to
justify working at least on an analysis document, and depending on the
outcome on a best practice document. Let's have this debate, and let's make
some progress on email privacy.

-- Christian Huitema