Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
Hector Santos <hsantos@isdg.net> Sat, 05 December 2015 18:49 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F721B2C4D for <shutup@ietfa.amsl.com>; Sat, 5 Dec 2015 10:49:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.103
X-Spam-Level:
X-Spam-Status: No, score=-100.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKiwjyKDJB9z for <shutup@ietfa.amsl.com>; Sat, 5 Dec 2015 10:49:17 -0800 (PST)
Received: from mail.santronics.com (secure.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 461251B2C50 for <shutup@ietf.org>; Sat, 5 Dec 2015 10:49:16 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=5828; t=1449341350; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=eE70q/oURwjnZMxQCLCpY5Xi6J8=; b=uzPwyFT1oFKW/mxWNxfgEV68g+SQD0349TmTw1BdnNeiSRRJjfm2vJX/ucbyrd mHuopV1J/3tw3TXlRANpCFIk1LwsW8ITOy5V163n+Gic78B7zoelBMZ5s6TRWyhc xz0gfiYYHr+mBNE/jeRJLwDVNS/fgCQC7BpyD1d6VR/ZM=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for shutup@ietf.org; Sat, 05 Dec 2015 13:49:10 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; dmarc=pass policy=none author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from opensite.winserver.com (beta.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 1229543222.3311.2984; Sat, 05 Dec 2015 13:49:10 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5828; t=1449341236; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=WovVO/5 HTSFYac3bjLy2tgN5+6nppgdfJ+p6Kzq07SQ=; b=RPhfgWBEAOlzUcVhhdHRN/v X8uitmcJ7KUgvwd2YGmwhefmpEpXRe/P7cslHxaBJ0NAivoB3UjlIaXkQMinG0zK 6lJDkMtcqdtgrWPCDA8RPAJ+7jCmLCZ3lFiNAprOVLmPHq6t1t9TAunqNmxlm7r0 VT3D8K4A/iAvmzLcdgj0=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for shutup@ietf.org; Sat, 05 Dec 2015 13:47:16 -0500
Received: from [192.168.1.2] ([99.121.4.202]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 168401868.9.95964; Sat, 05 Dec 2015 13:47:15 -0500
Message-ID: <5663316A.3060002@isdg.net>
Date: Sat, 05 Dec 2015 13:48:10 -0500
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Ted Lemon <mellon@fugue.com>, shutup@ietf.org
References: <20151130042819.10658.qmail@ary.lan> <1448858775386-ceecd236-8b11ac04-a03b4438@fugue.com> <01PTPUIP3IUK01729W@mauve.mrochek.com> <11d014e5-9a6a-4b78-92a1-8e0a1e0a905d@gulbrandsen.priv.no> <01PTRE1WMUMQ01729W@mauve.mrochek.com> <1448995610381-36d96644-173d7bf5-b94de12d@fugue.com> <565DF2F0.6050207@mustelids.ca> <1449025790038-5861f0d7-9427eca4-6b12d71f@fugue.com> <5661B1AF.6060603@mustelids.ca> <5661C55E.8040704@dcrocker.net> <1449257857273-059c8a27-1accf1f5-4d335b6b@fugue.com>
In-Reply-To: <1449257857273-059c8a27-1accf1f5-4d335b6b@fugue.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/XtXk7WJGftncoWpEnJ99IRtLrqE>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2015 18:49:20 -0000
On 12/4/2015 2:37 PM, Ted Lemon wrote: > Friday, Dec 4, 2015 11:54 AM Dave Crocker wrote: >> Hence, queries of the 'show your work' type move into the realm of >> etended tutorial to non-experts, rather than helping to the vetting of >> foundational issues for creating a working group. > > I share your discomfort. However, my concern with the approach of simply refusing to answer questions on the grounds you state is twofold: first, it excludes any participation by stakeholders other than anti-spam developers, and there are other stakeholders. Second, it preserves the status quo, which is clearly broken. By which I do not mean that you all are not doing good work: what I mean is that because you are so effective at minimizing spam, there is no incentive to actually clean up many of the messes you are working around at the moment. > >>From my perspective, quite a bit of useful information has already been shared as a result of this discussion, and it would be nice if that information were collected somewhere. I think that there's more work to be done. It may be bothersome to folks who don't feel that these questions need to be answered, but I don't think it's realistic to think that if you just protest loudly enough, they will stop getting asked, or that the practice of header redaction will not become more widespread. > Ted, as you know, many packages are quite old and well established -- change is not easy. What is common is that we all need to interop in a consistent and persistent protocol required/expected manner. Without that, it doesn't work well. Sure, it will be nice to read reports on methods, ideas, issues but for the most part much of this has already been covered. So what else is possibly new after 30+ years of world-wide mail industry? If it has been shown that the STD10/RFC2821/RFC5321.Received can be "exploited" in some negative way, then it doesn't really matter what I think, the customer can be potentially harmed and therefore, I am ethically obligated to offer an option to disable, hide or mask the "harmful" information. So what are the ideas for this? In the end, it may come down to changing the standard to say "MAY|SHOULD" instead of "MUST" IFF there is NO evidence of interop issues. We do this all the time with product identification during any internet application protocol connections. For example, for PCI compliance, I have a very large customer whose PCI auditor pushed for the removal of all hosting product id/version identifying information. We made the option to disable available to the customer quickly and for others in the next update. No more support cost issues along those lines whether I thought it as stupid or not. I can say that PCI Auditors can push for (IETF protocol related) technical changes if the customers are hassled by them. We have already begun to see the browser enforcement with the HTTPS only push. We long had a "Single Click PCI Compliance" button to enforces HTTPS and Session Tracking/Time Management. However, most of the time, No one have have an answer for "Compromised User" issues. In that case, all bets are off. Like a "Active Shooter," learn to track it and basically shut the account or force a changing of a password. If the removal of the "Received:" trace line help mitigate a potential exploit, then I would like to see input from people who think it may be also a backward compatibility issue where "useful things" may break. Now that I am thinking about it, I need to see how it could alter our SMTP valid RFC header detector during reception. Technically, we can have Very Simple Mail Transfer Protocol (VSMTP) clients sending mail where the RFC 822/2821/5321 header block MAY NOT be part of the payload (DATA). IOW, you can do see this: C: EHLO mail.fugue.com S: 250 Welcome C: MAIL FROM <mellon@fugue.com> S: 250 its all good C: RCPT TO: <hsantos@isdg.net> S: 250 continue C: DATA S: 353 What do you have to say? Hi there!<CR><LF>.<CR><LF> S: 250 Mail Accepted! C: QUIT S: 220 <click> And that MAY be an acceptable transaction because the system will auto-fill or regenerate the required RFC fields or it may not, i.e. for a print or fax job, or if its a local message versus a relay: 5322.From: <--- 5321.MAIL FROM, Required 5322.Date: <--- Current Time Stamp (GMT), Required 5322.To: <--- 5321.RCPT TO, Not Required 5322.Subject: <--- not required At a minimum, most mail readers systems only needed the above fields for the simplest Mail Reader possible. I've written about 5-6 MUAs in my time. However, the regeneration MAY NOT take place if it detects a valid internet email header. So the question now becomes how tight is the SMTP requirements per site? If the site follow strict RFC822, then you require: 822.From: 822.Date: 822.TO or 822.CC If you relaxed it to RFC2822 (which is the same as RFC5322), then only the 5322.From: and 5322.Date: are required. The "To:" was relaxed, not required. Once upon a time there was a I-D Proposal to further relaxed the "5322.From" header from email. If that had happen, DKIM would probably never had been done even though today, many folks would probably not wanted the 5322.From: DKIM binding requirement. Notice how there is a conflict here as well with Received since it also part of the Binding recommendations (but not a requirement). In any case, in our SMTP RFC detector, we also use the the required "Received" line depending on what level of 822/2822/5322 support is enabled. I have to check. So overall, it is not cut and dry about removing a long time "standard" required feature in SMTP. It has to be studied before a recommendation can be made to effectively change a long time standard. -- HLS
- Re: [Shutup] Proposed Charter for something Ted Lemon
- [Shutup] Proposed Charter for the "SMTP Headers U… Alexey Melnikov
- Re: [Shutup] Proposed Charter for the "SMTP Heade… John R Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Alexey Melnikov
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Stephen Farrell
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Jim Fenton
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ned Freed
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Rolf E. Sonneveld
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Newman
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Steve Atkins
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Richard Clayton
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ned Freed
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ned Freed
- Re: [Shutup] chained authorizationm, was Proposed… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] chained authorizationm, was Proposed… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Al Iverson
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Steve Atkins
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Randall Gellens
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ned Freed
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Tony Finch
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Kurt Andersen (b)
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Stephen Farrell
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Stephen Farrell
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Hector Santos
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Stephen Farrell
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… John Levine
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Derek J. Balling
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Stephen Farrell
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Derek J. Balling
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Simon Josefsson
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Derek J. Balling
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Richard Clayton
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Steve Atkins
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Al Iverson
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Kurt Andersen
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Robert A. Rosenberg
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Al Iverson
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… Derek J. Balling
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… MH Michael Hammer (5304)
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] real life privacy tradeo… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Robert A. Rosenberg
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Robert A. Rosenberg
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Ted Lemon
- Re: [Shutup] [ietf-smtp] Proposed Charter for the… Hector Santos
- [Shutup] Proposed Charter for the "SMTP Headers U… SM
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Chris Lewis
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Chris Lewis
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Ned Freed
- Re: [Shutup] Proposed Charter for the "SMTP Heade… SM
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Chris Lewis
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Christian Huitema
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Chris Lewis
- Re: [Shutup] Proposed Charter for the "SMTP Heade… SM
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Martijn Grooten
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Chris Lewis
- Re: [Shutup] Proposed Charter for something John Levine
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Robert A. Rosenberg
- Re: [Shutup] Proposed Charter for something Dave Crocker
- Re: [Shutup] Proposed Charter for something Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… John C Klensin
- Re: [Shutup] Proposed Charter for something Stephen Farrell
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Ned Freed
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Stephen Farrell
- Re: [Shutup] Proposed Charter for the "SMTP Heade… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Chris Lewis
- Re: [Shutup] Proposed Charter for something Hector Santos