Re: [Last-Call] Secdir last call review of draft-billon-expires-08

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/24/22 06:54, Chris Lonvick via Datatracker wrote:

First, looking at this from an operational, “on the wire” perspective, the
Expires header field will pose no additional security concerns over those
defined in RFC 5322.

The thing that strikes me as  unusual about this proposal, is that there's not any other email header field that can even be remotely implied to mean "it's okay to delete this message".   So until now, the prospect of having a message deleted without the recipient's approval is not considered a security risk. Standardizing an Expires field changes that.

Of course even without an Expires field, messages are routinely deleted by spam filters without the recipient's approval.   But for some reason we don't consider that a security risk, presumably because we don't consider spam filters adversaries.   Of course spam filters can be adversaries; they can interfere with communications for reasons that suit the spam filter's interests rather than the recipient's  interests.   It is completely unreasonable to assume that they are even benign or neutral.

Frankly, I find the secdir review deficient.

Keith


--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux