Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

"Rolf E. Sonneveld" <> Mon, 30 November 2015 09:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 59B751B2DD4; Mon, 30 Nov 2015 01:35:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HQqhr6iK7GHx; Mon, 30 Nov 2015 01:35:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AF1461B2DD6; Mon, 30 Nov 2015 01:34:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3p8Lxs5PVXz1L8n7; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id 3p8Lxs445rz5Mgfl; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E89B123552; Mon, 30 Nov 2015 10:34:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id mFF9pvXbCzF2; Mon, 30 Nov 2015 10:34:53 +0100 (CET)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id C04801234EE; Mon, 30 Nov 2015 10:34:52 +0100 (CET)
To: Christian Huitema <>, 'Jim Fenton' <>,,
References: <alpine.OSX.2.11.1511282155180.1479@ary.lan> <> <Eoqbyz/axxwfm7I0m8X7QOm53qcBtCJIuS/> <> <> <> <015801d12b0a$dc8731d0$95959570$>
From: "Rolf E. Sonneveld" <>
Message-ID: <>
Date: Mon, 30 Nov 2015 10:34:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <015801d12b0a$dc8731d0$95959570$>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=2009; t=1448876097; bh=p0j4x5p1domfRwP+xPpOWWlktEecm6W1vtqBHxv1eg4=; h=Subject:To:From:Message-ID:Date:From; b=YD57Rgh7RE45t1nOjDJ2AgSyXqM106le+bV+CHgsTiV/KvwNwlAd4W11ctUr/SQs7 +/+VTUSL4pnS4u5HN4OGHwEMnO5PBkbrUq7YuxKWCuOvuwabnL7rcTcrYSJltVlA3A qaN6tarUuL3Ju7OYkc6XDk31edZyIqQXqo6WT0u4=
DKIM-Filter: OpenDKIM Filter v2.8.2 3p8Lxs5PVXz1L8n7
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 09:35:03 -0000

On 30-11-15 02:02, Christian Huitema wrote:
> On Sunday, November 29, 2015 12:54 PM, Jim Fenton wrote:
>> There are users for whom their privacy is critically important, such
>> as press informants in totalitarian societies. There are many other
>> ways to determine their location (network monitoring coupled with
>> a STARTTLS downgrade attack, for one), and it would be harmful
>> (potentially life-threatening) if anyone thought that this would truly
>> protect them. They should be using something like SecureDrop and
>> not using email at all.
> Uh, No. This is the classic "the other side of the boat is leaking too"
> argument, coupled with a dollop of "no security is better than imperfect
> security." Yes, there are many ways for metadata to leak. But that does not
> mean that we should not plugs the leaks that we do know about.
> The discussion so far shows that one hand many people believe that we are
> disclosing too much metadata in mail headers, while many more believe that
> the metadata disclosure is actually useful to fight various forms of abuse,
> some of which may well compromise users' privacy.
> We also heard that some of the big providers have already unilaterally
> decided to suppress some of the metadata, like the first hop address.

Can anyone share some information about which providers made which decision?

> So we
> have at least one data point showing that not all metadata needs to be
> preserved.

I fail to see the causality with the first sentence here: do you mean: 
the worlds e-mail ecosystem did not collapse, so this proves that not 
all metadata needs to be preserved?

> The "submission" hop may be a special case, but as Jim points out, mailing
> lists may well another special case, for which some guidance would be
> useful.
> The concern about topology disclosure may or may not justify pruning some of
> the metadata.
> In short, it appears that there is enough concern and enough uncertainty to
> justify working at least on an analysis document, and depending on the
> outcome on a best practice document. Let's have this debate, and let's make
> some progress on email privacy.

There has been done some work on this, which might be useful input to 
the discussion: see the report "Investigating the leakage of sensitive 
personal and organisational information in email headers" [1].