Message Disposition Notification
draft-ietf-appsawg-mdn-3798bis-16
Yes
(Ben Campbell)
No Objection
(Alvaro Retana)
(Benoît Claise)
(Deborah Brungard)
(Joel Jaeggli)
(Kathleen Moriarty)
(Mirja Kühlewind)
(Spencer Dawkins)
(Stephen Farrell)
(Suresh Krishnan)
(Terry Manderson)
Recuse
Note: This ballot was opened for revision 15 and is now closed.
Ben Campbell Former IESG member
Yes
Yes
(for -15)
Unknown
Alia Atlas Former IESG member
No Objection
No Objection
(2016-11-29 for -15)
Unknown
Should the Media-Type registration go to the authors of the draft, as specified, or instead to the appsawg & eventually defaulting to the IESG?
Alissa Cooper Former IESG member
No Objection
No Objection
(2016-11-30 for -15)
Unknown
Thanks for the good work to improve the privacy properties here. = Section 6.2 = "Disposition mode (Section 3.2.6.1) can leak information about recipient's MUA configuration, in particular whether MDNs are acknowledged manually or automatically. If this is a concern, MUAs can return "manual-action/MDN-sent-manually" disposition mode in generated MDNs." I see why this is here, but doesn't recommending falsifying these fields put their integrity in question whenever they are set to manual? I mean, why would recipients trust this information if the RFC actually suggests sending a field that lies about an MDN being automatically acknowledged? = Section 6.2.2 = "The "Reporting-UA" field (Section 3.2.1) might contain enough information to uniquely identify a specific device, usually when combined with other characteristics, particularly if the user agent sends excessive details about the user's system or extensions. However, the source of unique information that is least expected by users is proactive negotiation, including the Accept-Language header fields." I think the use of "However" is tripping me up here. Earlier in the document you have good recommendations about how to mitigate the risk of fingerprinting based on the Reporting-UA field. That guidance is valid regardless of whether other header fields might also contribute to fingerprinting or whether users would expect that (frankly, I don't see how user expectations are relevant here, since most users don't understand fingerprinting anyway). I think something along the following lines to replace the last sentence above would be more accurate: "Even when the guidance in Section 3.2.1 is followed to avoid fingerprinting, other sources of unique information may still be present, including the Accept-Language header fields."
Alvaro Retana Former IESG member
No Objection
No Objection
(for -15)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(for -15)
Unknown
Deborah Brungard Former IESG member
No Objection
No Objection
(for -15)
Unknown
Joel Jaeggli Former IESG member
No Objection
No Objection
(for -15)
Unknown
Kathleen Moriarty Former IESG member
No Objection
No Objection
(for -15)
Unknown
Mirja Kühlewind Former IESG member
No Objection
No Objection
(for -15)
Unknown
Spencer Dawkins Former IESG member
No Objection
No Objection
(for -15)
Unknown
Stephen Farrell Former IESG member
No Objection
No Objection
(for -15)
Unknown
Suresh Krishnan Former IESG member
No Objection
No Objection
(for -15)
Unknown
Terry Manderson Former IESG member
No Objection
No Objection
(for -15)
Unknown
Alexey Melnikov Former IESG member
Recuse
Recuse
(2016-11-24 for -15)
Unknown
I am the editor.