Message Disposition Notification
RFC 8098
Note: This ballot was opened for revision 15 and is now closed.
(Ben Campbell) Yes
(Alia Atlas) No Objection
Comment (2016-11-29 for -15)
No email
send info
send info
Should the Media-Type registration go to the authors of the draft, as specified, or instead to the appsawg & eventually defaulting to the IESG?
Deborah Brungard No Objection
(Benoît Claise) No Objection
Alissa Cooper No Objection
Comment (2016-11-30 for -15)
No email
send info
send info
Thanks for the good work to improve the privacy properties here. = Section 6.2 = "Disposition mode (Section 3.2.6.1) can leak information about recipient's MUA configuration, in particular whether MDNs are acknowledged manually or automatically. If this is a concern, MUAs can return "manual-action/MDN-sent-manually" disposition mode in generated MDNs." I see why this is here, but doesn't recommending falsifying these fields put their integrity in question whenever they are set to manual? I mean, why would recipients trust this information if the RFC actually suggests sending a field that lies about an MDN being automatically acknowledged? = Section 6.2.2 = "The "Reporting-UA" field (Section 3.2.1) might contain enough information to uniquely identify a specific device, usually when combined with other characteristics, particularly if the user agent sends excessive details about the user's system or extensions. However, the source of unique information that is least expected by users is proactive negotiation, including the Accept-Language header fields." I think the use of "However" is tripping me up here. Earlier in the document you have good recommendations about how to mitigate the risk of fingerprinting based on the Reporting-UA field. That guidance is valid regardless of whether other header fields might also contribute to fingerprinting or whether users would expect that (frankly, I don't see how user expectations are relevant here, since most users don't understand fingerprinting anyway). I think something along the following lines to replace the last sentence above would be more accurate: "Even when the guidance in Section 3.2.1 is followed to avoid fingerprinting, other sources of unique information may still be present, including the Accept-Language header fields."
(Spencer Dawkins) No Objection
(Stephen Farrell) No Objection
(Joel Jaeggli) No Objection
(Suresh Krishnan) No Objection
(Mirja Kühlewind) No Objection
(Terry Manderson) No Objection
(Kathleen Moriarty) No Objection
Alvaro Retana No Objection
(Alexey Melnikov) Recuse
Comment (2016-11-24 for -15)
No email
send info
send info
I am the editor.