Eric Rescorla wrote: > As I understand the situation, the sender the only person > who has to rely on the uniqueness of this header, right? Hi, I have not the faintest idea what you are talking about, but if it is in any way related to the 2822upd concept of a Message-ID "worldwide unique forever" is no nonsense as soon as a Message-ID passes mail2news gateways, and/or is used in an Archived-At URL. > the Message-ID MUST be selected so that: > (1) There is a minimal chance of any two Message-IDs accidentally > colliding within the time period within which an IMDN might be > received. That is apparently the definition for some UUID versions, but not for a Message-ID as specified in RFC.ietf-usefor-usefor: | The Message-ID header field contains a unique message identifier. | Netnews is more dependent on message identifier uniqueness and fast | comparison than Email is [...] | The global uniqueness requirement for <msg-id> in [RFC2822] | is to be understood as applying across all protocols using | such message identifiers, and across both Email and Netnews | in particular. > (2) It is prohibitive for an attacker who has seen one or more > valid Message-IDs to generate additional valid Message-IDs. That would match pseudo-random number, but a "worldwide unique forever" Message-ID can boil down to timestamp @ domain (plus magic to avoid collisions for various Message-ID generators for a given domain or subdomain). > it is RECOMMENDED that Message-IDs be generated using a > cryptographically secure pseudorandom number generator Please get the terminology right as first priority, what you are talking about is apparently *NOT* an 2822upd Message-ID as used in mail, news, APOP, and CRAM-MD5. Frank _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf