|
|
|
@ -69,7 +69,7 @@ the S/MIME specification for header protection. |
|
|
|
# Introduction |
|
|
|
|
|
|
|
A range of protocols for the protection of electronic mail (email) |
|
|
|
exist, which allow to assess the authenticity and integrity of the |
|
|
|
exists, which allows to assess the authenticity and integrity of the |
|
|
|
email headers section or selected header fields (HF) from the |
|
|
|
domain-level perspective, specifically DomainKeys Identified Mail |
|
|
|
(DKIM) {{RFC6376}} and Sender Policy Framework (SPF) {{RFC7208}}, and |
|
|
|
@ -79,7 +79,7 @@ a range of attacks on email, do not offer (full) end-to-end protection |
|
|
|
to the header section and are not capable of providing privacy for the |
|
|
|
information contained therein. |
|
|
|
|
|
|
|
The need for means of Data Minimization, which includes data spareness |
|
|
|
The need for means of Data Minimization, which includes data sparseness |
|
|
|
and hiding all technically concealable information whenever possible, |
|
|
|
has grown in importance over the past several years. |
|
|
|
|
|
|
|
@ -99,9 +99,13 @@ Several varying implementations of end-to-end protections for email |
|
|
|
header sections exist, though the total number of such implementations |
|
|
|
appears to be rather low. |
|
|
|
|
|
|
|
Some LAMPS WG participants expressed the opinion that whatever |
|
|
|
mechanism will be chosen, it should not be limited to S/MIME, but |
|
|
|
also applicable to PGP/MIME. |
|
|
|
Some LAMPS WG participants expressed the opinion that regardless of |
|
|
|
the mechanism chosen, it should not be limited to S/MIME, but also |
|
|
|
applicable to PGP/MIME. |
|
|
|
|
|
|
|
<!-- Suggestion KRB: |
|
|
|
it should be applicable to both S/MIME and PGP/MIME. |
|
|
|
--> |
|
|
|
|
|
|
|
This document describes the problem statement ({{problem-statement}}), |
|
|
|
generic use cases ({{use-cases}}) and the specification for Header |
|
|
|
@ -113,15 +117,20 @@ requirements that this specification is based on. |
|
|
|
<!-- TODO: Decide whether to add the requirements to this document or |
|
|
|
leave them in a separate document --> |
|
|
|
|
|
|
|
This document is in early draft state and contains a proposal to base |
|
|
|
the upcoming discussions on. In any case, the final solution is to be |
|
|
|
determined by the IETF LAMPS WG. |
|
|
|
This document is in early draft state and contains a proposal on which |
|
|
|
to base future discussions of this topic. In any case, the final |
|
|
|
mechanism is to be determined by the IETF LAMPS WG. |
|
|
|
|
|
|
|
{::include ../shared/text-blocks/key-words-rfc2119.mkd} |
|
|
|
|
|
|
|
|
|
|
|
{::include ../shared/text-blocks/terms-intro.mkd} |
|
|
|
|
|
|
|
Note: To avoid ambiguity, this document does not use the terms |
|
|
|
"Header" or "Headers" in isolation, but instead always uses "Header |
|
|
|
Field" to refer to the individual field and "Header Section" to |
|
|
|
refer to the entire collection; cf. {{RFC5322}}. |
|
|
|
|
|
|
|
<!-- {::include ../shared/text-blocks/handshake.mkd} --> |
|
|
|
<!-- {::include ../shared/text-blocks/trustwords.mkd} --> |
|
|
|
<!-- {::include ../shared/text-blocks/tofu.mkd} --> |
|
|
|
@ -131,26 +140,10 @@ determined by the IETF LAMPS WG. |
|
|
|
|
|
|
|
* PGP/MIME: MIME Security with OpenPGP (cf. {{RFC3156}}) |
|
|
|
|
|
|
|
* Message: An Email Message consisting of header fields |
|
|
|
(collectively called "the Header Section of the message") followed, |
|
|
|
optionally, by a Body; cf. {{RFC5322}}. |
|
|
|
|
|
|
|
* Transport: The entity taking care of the transport of a Message |
|
|
|
towards the receiver or from the sender. The Transport on the |
|
|
|
sending side typically determines the destination recipients by |
|
|
|
reading the To, Cc and Bcc Header Fields (of the Outer |
|
|
|
Message). The Transport is typically implemented by an MTA (Mail |
|
|
|
Transfer Agent). |
|
|
|
|
|
|
|
* Header Field (HF): cf. {{RFC5322}} Header Fields are lines beginning |
|
|
|
with a field name, followed by a colon (":"), followed by a field |
|
|
|
body (value), and terminated by CRLF; cf. {{RFC5322}}. |
|
|
|
|
|
|
|
Note: To avoid ambiguity, this document does not use the terms |
|
|
|
"Header" or "Headers" in isolation, but instead always uses "Header |
|
|
|
Field" to refer to the individual field and "Header Section" to |
|
|
|
refer to the entire collection; cf. {{RFC5322}}. |
|
|
|
|
|
|
|
* Header Section (HS): The Header Section is a sequence of lines of |
|
|
|
characters with special syntax as defined in {{RFC5322}}. It is the |
|
|
|
(top) section of a message containing the Header Fields. |
|
|
|
@ -172,6 +165,27 @@ determined by the IETF LAMPS WG. |
|
|
|
MIME Header Fields of a Header Section that - in addition to MIME |
|
|
|
Header Fields - also contains non-MIME Header Fields. |
|
|
|
|
|
|
|
* Essential Header Fields (EHF): The minimum set of Header Fields an |
|
|
|
Outer Message Header Section SHOULD contain; cf. {{outer-msg-hf}}. |
|
|
|
|
|
|
|
* Message: An Email Message consisting of Header Hields |
|
|
|
(collectively called "the Header Section of the message") followed, |
|
|
|
optionally, by a Body; cf. {{RFC5322}}. |
|
|
|
|
|
|
|
* Transport: The entity taking care of the transport of a Message |
|
|
|
towards the receiver or from the sender. |
|
|
|
<!-- Feedback KRB: |
|
|
|
It's confusing to define transport as both an entity and process. I |
|
|
|
realize that's exactly what it is, but it reads awkwardly. Suggest |
|
|
|
"delivery", "transit", "transfer", or similar. The other uses of |
|
|
|
"transport" are okay, just this opening sentence needs help. |
|
|
|
--> |
|
|
|
The Transport on the |
|
|
|
sending side typically determines the destination recipients by |
|
|
|
reading the To, Cc and Bcc Header Fields (of the Outer |
|
|
|
Message). The Transport is typically implemented by an MTA (Mail |
|
|
|
Transfer Agent). |
|
|
|
|
|
|
|
* Header Protection (HP): cryptographic protection of email Header |
|
|
|
Sections (or parts of it) for signatures and/or encryption |
|
|
|
|
|
|
|
@ -209,9 +223,6 @@ determined by the IETF LAMPS WG. |
|
|
|
at the receiving side. Typically this is the same as the Inner |
|
|
|
Message. |
|
|
|
|
|
|
|
* Essential Header Fields (EHF): The minimum set of Header Fields an |
|
|
|
Outer Message Header Section SHOULD contain; cf. {{outer-msg-hf}}. |
|
|
|
|
|
|
|
* Protected: Protected refers to the parts of a message where |
|
|
|
protection measures of any Protection Level have been applied to. |
|
|
|
|
|
|
|
@ -224,7 +235,7 @@ determined by the IETF LAMPS WG. |
|
|
|
* Unprotected Message: A message that no protection measures of any |
|
|
|
Protection Levels have been applied to. |
|
|
|
|
|
|
|
* Data Minimization: Data spareness and hiding of all technically |
|
|
|
* Data Minimization: Data sparseness and hiding of all technically |
|
|
|
concealable information whenever possible. |
|
|
|
|
|
|
|
|
|
|
|
@ -247,7 +258,7 @@ In the following a set of challenges to be addressed: |
|
|
|
|
|
|
|
## Privacy {#privacy} |
|
|
|
|
|
|
|
* Data Minimization, which includes data spareness and hiding all |
|
|
|
* Data Minimization, which includes data sparseness and hiding all |
|
|
|
technically concealable information whenever possible |
|
|
|
|
|
|
|
|
|
|
|
@ -271,9 +282,8 @@ In the following a set of challenges to be addressed: |
|
|
|
|
|
|
|
In the following, the reader can find a list of the generic use cases |
|
|
|
that need to be addressed for messages with Header Protection |
|
|
|
(HP). These use cases apply independently of whether S/MIME, PGP/MIME |
|
|
|
or any other technology is used to achieve HP. |
|
|
|
|
|
|
|
(HP). These use cases apply regardless of technology (S/MIME, |
|
|
|
PGP/MIME, etc.) used to achieve HP. |
|
|
|
|
|
|
|
|
|
|
|
## Interactions {#interactions} |
|
|
|
@ -289,13 +299,13 @@ cf. {{main-use-case}}. |
|
|
|
|
|
|
|
### Backward Compatibility |
|
|
|
<!-- explain what is not correct --> |
|
|
|
The sending side fully supports Header protection as specified in this |
|
|
|
The sending side fully supports Header Protection as specified in this |
|
|
|
document, while the receiving side does not support the MIME |
|
|
|
specification {{RFC2045}}, ff. correctly; see |
|
|
|
{{backward-compatibility-use-case}}. |
|
|
|
|
|
|
|
|
|
|
|
Note: The compatibility of legacy HP systems with this new solutions, |
|
|
|
Note: The compatibility of legacy HP systems with this new solution, |
|
|
|
and how to handle issues surrounding future maintenance for these |
|
|
|
legacy systems, will be decided by the LAMPS WG. |
|
|
|
|
|
|
|
@ -331,7 +341,7 @@ c) Encryption only |
|
|
|
# Specification {#specification} |
|
|
|
|
|
|
|
This section contains the specification for Header Protection in |
|
|
|
S/MIME to update and clarifies Section 3.1 of {{RFC8551}} (S/MIME |
|
|
|
S/MIME to update and it clarifies Section 3.1 of {{RFC8551}} (S/MIME |
|
|
|
4.0). |
|
|
|
|
|
|
|
Furthermore, it is likely that PGP/MIME {{RFC3156}} will also incorprorate |
|
|
|
@ -488,13 +498,13 @@ to be considered, is described in |
|
|
|
{{I-D.autocrypt-lamps-protected-headers}}. |
|
|
|
|
|
|
|
Unlike the option described in {{option-smime-spec}}, this option does |
|
|
|
not use a "message/RFC822" wrapper to unambigously delimit the Inner |
|
|
|
not use a "message/RFC822" wrapper to unambiguously delimit the Inner |
|
|
|
Message. |
|
|
|
|
|
|
|
Note: More specific on Parsers (as there are two aspects here) |
|
|
|
|
|
|
|
Note: it is for further study, whether or not this option is (fully) |
|
|
|
compliant with the MIME standard, in particuar also {{RFC2046}}, |
|
|
|
compliant with the MIME standard, in particular also {{RFC2046}}, |
|
|
|
Section 5.1. (Multipart Media Type). |
|
|
|
<!-- |
|
|
|
Maybe remove (as suggested by Alexey) |
|
|
|
@ -515,9 +525,9 @@ The MIME structure of an Email message looks as follows: |
|
|
|
{::include ../shared/fence-line.mkd} |
|
|
|
|
|
|
|
|
|
|
|
The following example demonstrates how header section and payload of a |
|
|
|
protect body part might look like. For example, this will be the |
|
|
|
first body part of a multipart/signed message or the signed and/or |
|
|
|
The following example demonstrates how the header section and payload |
|
|
|
of a protected body part might appear. For example, this will be |
|
|
|
the first body part of a multipart/signed message or the signed and/or |
|
|
|
encrypted payload of the application/pkcs7-mime body part. Lines |
|
|
|
prepended by "O: " are the outer header section. Lines prepended by |
|
|
|
"I: " are the inner header section. |
|
|
|
@ -580,10 +590,10 @@ Message along with other MIME part(s). |
|
|
|
|
|
|
|
### Inner Message Header Fields {#inner-msg-hf} |
|
|
|
|
|
|
|
It is RECOMMEND that the Inner Messages contains all the Header Fields |
|
|
|
of the Original Message with the exception of the following Header |
|
|
|
Field, which MUST NOT be included to the Inner Message nor to any |
|
|
|
other protected part of the message: |
|
|
|
It is RECOMMENDED that the Inner Messages contains all the Header |
|
|
|
Fields of the Original Message with the exception of the following |
|
|
|
Header Field, which MUST NOT be included within the Inner Message nor |
|
|
|
within any other protected part of the message: |
|
|
|
|
|
|
|
* Bcc |
|
|
|
|
|
|
|
@ -598,7 +608,7 @@ The wrapper is a simple MIME Header Section followed by an empty line |
|
|
|
preceding the Inner Message (inside the Outer Message Body). The media |
|
|
|
type of the wrapper MUST be "message/RFC822" and SHOULD contain the |
|
|
|
Content-Type header field parameter "forwarded=no" as defined in |
|
|
|
{{I-D.melnikov-iana-reg-forwarded}}. The wrapper delimits unambigously |
|
|
|
{{I-D.melnikov-iana-reg-forwarded}}. The wrapper delimits unambiguously |
|
|
|
the Inner Message from the rest of the message. |
|
|
|
|
|
|
|
|
|
|
|
@ -615,11 +625,18 @@ per {{RFC8551}}. |
|
|
|
The following Header Fields are defined as the Essential Header Fields: |
|
|
|
|
|
|
|
* From |
|
|
|
* To (if present in the OrigM) |
|
|
|
* Cc (if present in the OrigM) |
|
|
|
* Bcc (if present in the OrigM, see also {{inner-msg-hf}} and {{bcc-handling}}) |
|
|
|
|
|
|
|
* To (if present in the Original Message) |
|
|
|
|
|
|
|
* Cc (if present in the Original Message) |
|
|
|
|
|
|
|
* Bcc (if present in the Original Message, see also {{inner-msg-hf}} |
|
|
|
and {{bcc-handling}}) |
|
|
|
|
|
|
|
* Date |
|
|
|
|
|
|
|
* Message-ID |
|
|
|
|
|
|
|
* Subject |
|
|
|
|
|
|
|
<!-- if not SMTP, it is not relevant to IETF. |
|
|
|
@ -629,14 +646,14 @@ verify 6409 is a good reference, split to RFC5322 and RFC6409 |
|
|
|
--> |
|
|
|
Some of these Header Fields are required by the submission service |
|
|
|
{{RFC6409}} (e.g. From, Date). Furthermore, not including certain Header |
|
|
|
Fields may trigger spam detection to flag the message as spam and/or |
|
|
|
Fields may trigger spam detection to flag the message and/or |
|
|
|
lead to user experience (UX) issues. |
|
|
|
|
|
|
|
For further Data Minimization the value of the Subject Header Field |
|
|
|
For further Data Minimization, the value of the Subject Header Field |
|
|
|
SHOULD be obfuscated. In addition, the value of other Essential Header |
|
|
|
Fields MAY be obfuscated. Further Header Fields MAY be obfuscated, |
|
|
|
though simply not adding those to the Outer Message Header SHOULD be |
|
|
|
prefered over obfuscation. Header Field obfuscation is further |
|
|
|
preferred over obfuscation. Header Field obfuscation is further |
|
|
|
specified in {{obfuscation-outer-HF}}. Header Fields not obfuscated |
|
|
|
should contain the same values as in the Original Message. |
|
|
|
|
|
|
|
@ -695,7 +712,7 @@ the same week. \]\] |
|
|
|
|
|
|
|
|
|
|
|
In certain implementations also the From, To, and/or Cc Header Field |
|
|
|
MAY be obfucated. Those may be replaced by e.g. |
|
|
|
MAY be obfuscated. Those may be replaced by e.g. |
|
|
|
|
|
|
|
* To: Obfuscated <anonymous@anonymous.invalid> |
|
|
|
|
|
|
|
@ -706,11 +723,15 @@ Such implementations need to ensure that the submission service has access to |
|
|
|
these Header Fields in clear text and is capable of processing those. |
|
|
|
|
|
|
|
A use case for obfuscation of all Outer Message Header Fields is |
|
|
|
mixnet netwerks, i.e. "onion routing" for email (e.g.{{pEp.mixnet}}). |
|
|
|
mixnet networks, i.e. "onion routing" for email (e.g.{{pEp.mixnet}}). |
|
|
|
|
|
|
|
Note: It is for further study to what extent Header Field obfuscation |
|
|
|
(adversely) impacts spam filtering. |
|
|
|
adversely impacts spam filtering. |
|
|
|
|
|
|
|
<!-- suggestion KRB: |
|
|
|
"Further studies of the impact that Header Field obfuscation has on |
|
|
|
spam filtering are needed." |
|
|
|
--> |
|
|
|
|
|
|
|
### Receiving User Facing Message Header Fields {#rufm-hf} |
|
|
|
|
|
|
|
@ -768,7 +789,7 @@ Legend: |
|
|
|
* More-HF: Additional Header Fields (HF) in the Original Message (OrigM) |
|
|
|
|
|
|
|
* Wrapper: MIME Header Section; with media type (message/RFC822) to |
|
|
|
unambigously delimit the inner message from the rest of the |
|
|
|
unambiguously delimit the inner message from the rest of the |
|
|
|
message. |
|
|
|
|
|
|
|
* MIME-HSp: MIME Header Section part to describe the encryption or |
|
|
|
@ -805,7 +826,7 @@ The entity applying protection to a message must decide: |
|
|
|
the message? This depends on user request and/or local policy as |
|
|
|
well as availability of cryptographic keys. |
|
|
|
|
|
|
|
* Which Header Fields of the Orignial Message shall be part of the |
|
|
|
* Which Header Fields of the Original Message shall be part of the |
|
|
|
Outer Message Header Section? This typically depends on local |
|
|
|
policy. By default the Essential Header Fields are part of the Outer |
|
|
|
Message Header Section; cf. {{outer-msg-hf}}. |
|
|
|
@ -831,9 +852,9 @@ part, which depends on the protection level selected in |
|
|
|
|
|
|
|
#### Step 3: Apply Protection to the Original Message {#sending-side-step-3} |
|
|
|
|
|
|
|
Depending on the Protection Level selected in {{sending-side-step-1}} |
|
|
|
apply signature and/or encryption to the Original Message including |
|
|
|
the wrapper (as per {{RFC8551}}) and set the result to the message as |
|
|
|
Depending on the Protection Level selected in {{sending-side-step-1}}, |
|
|
|
apply signature and/or encryption to the Original Message, including |
|
|
|
the wrapper (as per {{RFC8551}}), and set the result to the message as |
|
|
|
Outer Message Body. |
|
|
|
|
|
|
|
The resulting (Outer) Message is then typically handed over to the |
|
|
|
@ -844,12 +865,12 @@ Transport. |
|
|
|
|
|
|
|
### Receiving Side Message Processing |
|
|
|
|
|
|
|
When a protected message is received the following steps are applied: |
|
|
|
When a protected message is received, the following steps are applied: |
|
|
|
|
|
|
|
|
|
|
|
#### Step 1: Decrypt message and/or check signature {#receiving-side-step-1} |
|
|
|
|
|
|
|
Depending on the protection level the received message is decrypted |
|
|
|
Depending on the protection level, the received message is decrypted |
|
|
|
and/or its signature is checked as per {{RFC8551}}. |
|
|
|
|
|
|
|
|
|
|
|
@ -859,36 +880,36 @@ The Receiving User Facing Message is constructed according to |
|
|
|
{{rufm-hf}}. |
|
|
|
|
|
|
|
The resulting message is handed over for further processing, which |
|
|
|
typically involves rendering it to the user. |
|
|
|
typically involves rendering it for the user. |
|
|
|
|
|
|
|
|
|
|
|
Note: It is for further study whether and, if yes, how the Outer |
|
|
|
Message Header Section (as received from the Transport) is |
|
|
|
preserved for the user. |
|
|
|
Note: Further study is needed to determine whether or not the Outer |
|
|
|
Message Header Section, as received from the Transport, is |
|
|
|
preserved for the user, and if so, how this is to be achieved. |
|
|
|
|
|
|
|
|
|
|
|
## Backward Compatibility Use Case {#backward-compatibility-use-case} |
|
|
|
|
|
|
|
{{I-D.autocrypt-lamps-protected-headers}} describes a possibility to |
|
|
|
{{I-D.autocrypt-lamps-protected-headers}} describes a possible way to |
|
|
|
achieve backward compatibility with existing S/MIME (and PGP/MIME) |
|
|
|
implementations unaware of this specification (Legacy Display). It |
|
|
|
implementations that predate this specification (Legacy Display). It |
|
|
|
mainly focuses on email clients that do not render emails using header |
|
|
|
protection (nicely) and may confuse the user. While this has been |
|
|
|
observed occasionally in PGP/MIME (cf. {{RFC3156}}), the extent of |
|
|
|
this problem with S/MIME implementations is still unclear. (Note: At |
|
|
|
this time, none of the samples in |
|
|
|
{{I-D.autocrypt-lamps-protected-headers}} applies header protection as |
|
|
|
protection (in a user friendly manner) and may confuse the user. While |
|
|
|
this has been observed occasionally in PGP/MIME (cf. {{RFC3156}}), the |
|
|
|
extent of this problem with S/MIME implementations is still |
|
|
|
unclear. (Note: At this time, none of the samples in |
|
|
|
{{I-D.autocrypt-lamps-protected-headers}} apply header protection as |
|
|
|
specified in Section 3.1 of {{RFC8551}}, which is wrapping as Media |
|
|
|
Type "message/RFC822".) |
|
|
|
|
|
|
|
Should serious backward compatibility issues with rendering at the |
|
|
|
receiver reveal, the Legacy Display format described in |
|
|
|
receiver be discovered, the Legacy Display format described in |
|
|
|
{{I-D.autocrypt-lamps-protected-headers}} may serve as a basis to |
|
|
|
mitigate those (backward compatibility use case). |
|
|
|
mitigate those issues (cf. {{backward-compatibility-use-case}}). |
|
|
|
|
|
|
|
Another variant of backward compatibility has been implemented by pEp |
|
|
|
{{I-D.pep-email}}, i.e. pEp Email Format 1.0. At this time pEp |
|
|
|
has implemented this for PGP/MIME (but not yet S/MIME). |
|
|
|
has implemented this for PGP/MIME, but not yet S/MIME. |
|
|
|
|
|
|
|
|
|
|
|
# Security Considerations |
|
|
|
@ -911,10 +932,11 @@ This document requests no action from IANA. |
|
|
|
# Acknowledgments |
|
|
|
|
|
|
|
The authors would like to thank the following people who have provided |
|
|
|
helpful comments and suggestions for this document: Claudio Luck, |
|
|
|
David Wilson, Hernani Marques, Krista Bennett, Kelly Bristol, Robert |
|
|
|
Williams, Sofia Balicka, Steve Kille, Volker Birk, and Wei Chuang. |
|
|
|
<!-- TODO: add DKG either to authors or to Acknowledgements --> |
|
|
|
helpful comments and suggestions for this document: Berna Alp, Claudio |
|
|
|
Luck, David Wilson, Hernani Marques, Krista Bennett, Kelly Bristol, |
|
|
|
Robert Williams, Sofia Balicka, Steve Kille, Volker Birk, and Wei |
|
|
|
Chuang. <!-- TODO: add DKG either to authors or to Acknowledgements |
|
|
|
--> |
|
|
|
|
|
|
|
--- back |
|
|
|
|
|
|
|
@ -939,26 +961,25 @@ header field may appear in up to three different variants: |
|
|
|
field, which depends on the implementation: |
|
|
|
|
|
|
|
a) One message for each recipient in the Bcc header field |
|
|
|
separately with a Bcc header field containing only the address |
|
|
|
of the recipient it is sent to |
|
|
|
separately, with a Bcc header field containing only the address |
|
|
|
of the recipient it is sent to. |
|
|
|
|
|
|
|
b) The same message for each recipient in the Bcc header field with |
|
|
|
a Bcc header field containing an indication such as "Undisclosed |
|
|
|
recipients" (but no addressees) |
|
|
|
recipients", but no addresses. |
|
|
|
|
|
|
|
c) The same message for each recipient in the Bcc header field |
|
|
|
which does not include a Bcc header field (this message is |
|
|
|
identical to 1. / cf. above) |
|
|
|
identical to 1. / cf. above). |
|
|
|
|
|
|
|
3. The message stored in the 'Sent'-Folder of the sender, which |
|
|
|
usually contains the Bcc unchanged from the original message, |
|
|
|
i.e. with all recipient addresses. |
|
|
|
i.e., with all recipient addresses. |
|
|
|
|
|
|
|
The most privacy preserving of the alternatives (2a, 2b, and 2c) |
|
|
|
is to standardize 2a, as in the other |
|
|
|
cases (2b and 2c) information about hidden recipients is revealed via |
|
|
|
keys. In any case the message has to be cloned and adjusted depending |
|
|
|
on the recipient. |
|
|
|
The most privacy preserving method of the alternatives (2a, 2b, and |
|
|
|
2c) is to standardize 2a, as in the other cases (2b and 2c), |
|
|
|
information about hidden recipients is revealed via keys. In any case, |
|
|
|
the message has to be cloned and adjusted depending on the recipient. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -980,7 +1001,7 @@ on the recipient. |
|
|
|
before publication. \]\] |
|
|
|
|
|
|
|
* Ensure "protected header" (Ex-Memory-Hole) option is (fully) |
|
|
|
compliant with the MIME standard, in particuar also {{RFC2046}}, |
|
|
|
compliant with the MIME standard, in particular also {{RFC2046}}, |
|
|
|
Section 5.1. (Multipart Media Type) {{option-ex-memory-hole}}. |
|
|
|
|
|
|
|
|
|
|
|
|
