Message Disposition Notification
draft-ietf-appsawg-mdn-3798bis-16

Note: This ballot was opened for revision 15 and is now closed.

Alvaro Retana No Objection

(Ben Campbell; former steering group member) Yes

Yes ( for -15)
No email
send info

(Alia Atlas; former steering group member) No Objection

No Objection (2016-11-29 for -15)
No email
send info
Should the Media-Type registration go to the authors of the draft, as specified, or instead to the appsawg & eventually defaulting to the IESG?

(Alissa Cooper; former steering group member) No Objection

No Objection (2016-11-30 for -15)
No email
send info
Thanks for the good work to improve the privacy properties here.

= Section 6.2 =

"Disposition mode (Section 3.2.6.1) can leak information about
   recipient's MUA configuration, in particular whether MDNs are
   acknowledged manually or automatically.  If this is a concern, MUAs
   can return "manual-action/MDN-sent-manually" disposition mode in
   generated MDNs."

I see why this is here, but doesn't recommending falsifying these fields put their integrity in question whenever they are set to manual? I mean, why would recipients trust this information if the RFC actually suggests sending a field that lies about an MDN being automatically acknowledged?

= Section 6.2.2 =

"The "Reporting-UA" field (Section 3.2.1) might contain enough
   information to uniquely identify a specific device, usually when
   combined with other characteristics, particularly if the user agent
   sends excessive details about the user's system or extensions.
   However, the source of unique information that is least expected by
   users is proactive negotiation, including the Accept-Language header
   fields."

I think the use of "However" is tripping me up here. Earlier in the document you have good recommendations about how to mitigate the risk of fingerprinting based on the Reporting-UA field. That guidance is valid regardless of whether other header fields might also contribute to fingerprinting or whether users would expect that (frankly, I don't see how user expectations are relevant here, since most users don't understand fingerprinting anyway). I think something along the following lines to replace the last sentence above would be more accurate: "Even when the guidance in Section 3.2.1 is followed to avoid fingerprinting, other sources of unique information may still be present, including the Accept-Language header fields."

(Benoît Claise; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Deborah Brungard; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Joel Jaeggli; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Kathleen Moriarty; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Mirja Kühlewind; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Spencer Dawkins; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Stephen Farrell; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Suresh Krishnan; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Terry Manderson; former steering group member) No Objection

No Objection ( for -15)
No email
send info

(Alexey Melnikov; former steering group member) Recuse

Recuse (2016-11-24 for -15)
No email
send info
I am the editor.