On Tue 2019-01-15 18:21:48 -0500, Viktor Dukhovni wrote: > On Jan 15, 2019, at 5:21 PM, Stephen Farrell <[email protected]> > wrote: > >> Well, not until you get to ESNI and fingerprinting different >> handshake instances as a way to track a message down a chain >> of MTAs. > > This is mail, not HTTP. If you get to read the resulting > headers, the trace headers are all there. So whatever your > concern was, it seems rather moot.
I agree with Victor that what we're looking at in the headers is more
like the "inside" of the TLS tunnel, so there's not as much of a risk as
there would be on the outside of the message.
That said, Received: headers (and other e-mail headers) do have privacy
implications and it would be a mistake to wave them all away with "it's
not HTTP". For example, some MSAs add a Received: header that
identifies the incoming IP address of the submitting MUA. This can be
used by the recipient of the message to learn where on the network the
message sender was when they sent the message. This is probably not a
good thing in terms of privacy from the user's perspective, and MSAs
probably should not be doing it.
Whether the SNI used by an incoming client falls in the same category is
a different question, of course.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
