On Thu, Nov 17, 2016 at 3:47 AM, Alessandro Vesely <ves...@tana.it> wrote:
> > That way it will stay dormant until someone gets hurt and has to activate >>> it, at which time it may cause more damage than improvement. A loose >>> cannon. >>> >> >> The document makes that risk clear, or so I thought. >> > > You mean Section 5? > Yes. > > Finally, if you stick to one recipient per message, why do you rack your >>> brains about encryption? I suggest adding a Disclosed-BCC: header field >>> with the recipient address in the same 5322.address-list cleartext format >>> as the other address fields, and sign it FWIW. It won't break more >>> privacy >>> than Delivered-To: does. >>> >> >> I don't follow. There's no additional encryption going on here. >> > > I mean the SHA transformation. Cleartext is obviously easier to > understand and debug. I wouldn't say a salted hash qualifies as "racking my brains". The idea is to make it difficult to see who the envelope recipient is simply by looking. A one-way transformation forces an interloper to make guesses and try to confirm, and the salt guarantees that your email address does not always hash to the same thing. It's not perfect security by any means, but it's a cheap way to limit what gets leaked. This too is spelled out in Section 7. > > Adding a "Disclosed-BCC" field guarantees disclosure, rather than only >> disclosing if the MDA adds a Delivered-To. I don't think we should make >> that worse. >> > > So long as you disclose it to the very recipient, there is no worry. NDNs > customarily report SMTP chit-chat in cleartext, betraying users who attempt > to hide their real address behind a dot-forward. Log files are plenty of > envelope citations. Received: fields feature a FOR clause which is not > deprecated for single recipient messages. We're not worsening anything. > If you hand me a printed copy of a message without the envelope, and the Received didn't use the (non-standard) "for" clause, I cannot be certain it was delivered to whatever the To and Cc say, if they're even present. It may have gone only to an envelope recipient that isn't visible. That is, if there was a Bcc, it's not revealed to me. If you insist on using "for" or "Disclosed-Bcc", that information is guaranteed to be exposed, and I can see who that secret recipient was. By contrast, including these tags at most reveals to me that there was a Bcc, but I have to do some complex (though these days, cheap) math to guess whether a specific address was in there. If I never make the correct guess, the secret is never revealed. -MSK
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
