Re: Predraft of a new URL scheme: mailmsg

Larry Masinter (masinter@parc.xerox.com)
Wed, 4 Jan 1995 11:55:33 PST


To: mvanheyn@cs.indiana.edu
Cc: raisch@internet.com, uri@bunyip.com, nsb@bellcore.com
In-Reply-To: mvanheyn@cs.indiana.edu's message of Wed, 4 Jan 1995 10:34:00 -0800 <95Jan4.103403pst.2763@golden.parc.xerox.com>
Subject: Re: Predraft of a new URL scheme: mailmsg
From: Larry Masinter <masinter@parc.xerox.com>
Message-Id: <95Jan4.115534pst.2760@golden.parc.xerox.com>
Date: Wed, 4 Jan 1995 11:55:33 PST

I've realized that the 'security hole' we've identified with the
proposed 'mailmsg' URL scheme exists also for use of the
message/external-body, but RFC1521 doesn't call it out particularly. I
don't think that we should shirk dealing with security considerations
in URL schemes, but rather, we might expect RFC1521 to expand the
security consideration section to address the issue of possible
mail-spoofing in message/external-body messages, e.g.:

================================================================
Content-Type: message/external-body; access-type=mail-server
Server="president@whitehouse.gov"

Content-type: text/plain
Content-ID: <666@devil.org>

Insert generic death threat here.
================================================================