- From: Al Gilman <Alfred.S.Gilman@IEEE.org>
- Date: Sun, 6 Jan 2008 12:39:46 -0500
- To: John Cowan <cowan@ccil.org>, Martin Duerst <duerst@it.aoyama.ac.jp>
- Cc: uri@w3.org, Larry Masinter <LMM@acm.org>, jwz@jwz.org
At 2:36 AM -0500 6 01 2008, John Cowan wrote: >Martin Duerst scripsit: > >> In particular, the current spec for mailto:, RFC 2368, contains >> some advice against using a bcc field in a mailto: URI, but this >> doesn't seem to be followed, and we were unable to find any reason, >> so we removed it. Comments on this (both positive and negative, >> if possible with reasons) would be appreciated. > >The whole point of bcc: is to keep certain recipients secret, >but if they are exposed in the mailto: URL, they are hardly >a secret any more, eh? Not really. the *main* point of a Bcc: is to get the Bcc: addressee(s) a copy of the information. Concealing this fact is secondary. It is true that the mailgram once sent does not inform the Cc: recipients that the Bcc: recipients have also received copies. This may be to curtail clutter from thoughtless use of reply-all or it may actually be important to conceal this information. In any case, the URL discloses the Bcc: recipients to the person *sending* the mail and the Bcc: recipient identities were never intended to be secret from the originator of the RFC-2821/22 mail transaction. The recipients of the Mailgram don't get a copy of the URI that was used to initialize the Mail-sending session. Yes, it's on the Web and can most likely be discovered by a well-crafted search. There are plenty of uses for Bcc: where the identity of the concealed recipients is not that big a secret. It could be worth a note in "Security Considerations" that leaving a mailto: URI on the public Web discloses the Bcc: recipients' email addresses for spammer harvesting; that there is not much secrecy to the address once let lose in a URI in a hypertext document. But the URI binds those addresses to a message template, not a message. The message itself does not offer a trace-back to the URI. There's no Referrer in a mailgram. Al > >-- >John Cowan cowan@ccil.org http://ccil.org/~cowan >The known is finite, the unknown infinite; intellectually we stand >on an islet in the midst of an illimitable ocean of inexplicability. >Our business in every generation is to reclaim a little more land, >to add something to the extent and the solidity of our possessions. > --Thomas Henry Huxley
Received on Sunday, 6 January 2008 17:40:01 UTC