**Session Date/Time:** 20 Mar 2025 02:30

# mailmaint

## Summary

The IETF mailmaint working group meeting covered the status of active drafts, several of which are ready for working group last call, and reviewed proposed new work items. Key discussions included the expires header field standardization, OAuth profile for email authentication, auto-configuration mechanisms, and several new proposals for web push notifications and data portability. The session also welcomed new AD Andy Newton and addressed various implementation and security considerations across the work items.

## Key Discussion Points

### Active Drafts Status
- **Wrong recipient URL draft**: Completed working group last call with minor comments from Alexi. Security considerations need enhancement regarding privacy implications (fishing concerns, revealing human presence). John will add privacy security considerations to the draft.
- **IMAP/JMEK keyword registration**: Went through last call with no issues. Jim volunteered to do the shepherd write-up.
- **UID batches**: Daniel reports good feedback received and implementation ready. Bron has production implementation at FastMail running for 6+ weeks. Alexi volunteered to implement over the weekend. Ready for working group last call pending multiple implementations discussion.

### Expires Header Field Discussion
- 40-year-old concept from Usenet (1983) and X.400 translation (1998)
- Previous standardization attempts failed due to unclear semantics about what "expired" means
- New implementations from European operators using current draft definition
- Debate over whether to include "expires-because" extension for semantic clarity
- Security concerns about automatic deletion vs. user control
- Consensus to proceed as standards track, with expires-because as optional extension
- Agreement that deletion must require user consent, not automatic

### OAuth Profile for Email
- Addresses security problems with username/password authentication
- Profile doesn't define new OAuth mechanisms, just secure interoperable usage
- Updated draft includes standard scopes registry, error handling, token validity requirements
- Concerns raised about OAuth complexity and browser requirement
- Discussion of alternative authentication mechanisms (passkeys mentioned)
- Legal agreement concerns between client/server vendors addressed
- General support for proceeding while encouraging alternative proposals

### Auto-Configuration
- Two approaches discussed: existing Thunderbird format (informational) and new DNS-based approach
- Existing format has 15 years deployment history, helps ~100,000 users daily
- New format uses DNS SRV records and JSON, assumes username equals email address
- Debate over "best practices" assumption and edge cases (government emails, multi-server setups)
- Agreement that auto-config doesn't need to solve 100% of cases
- Ben to seek technical review for existing format before last call

## Decisions and Action Items

### Immediate Actions
- **John**: Add privacy/security considerations to wrong recipient draft and post to list
- **Jim**: Complete shepherd write-up for IMAP/JMEK keyword registration draft  
- **Alexi**: Implement UID batches over the weekend
- **Chairs**: Take UID batches to working group last call after implementation completion
- **John**: Create draft merging expires header with expires-because extension
- **Ben**: Get technical review for auto-config draft before proceeding to last call

### Working Group Last Calls Planned
- UID batches (pending Alexi's implementation)
- Auto-config existing format (pending technical review)
- Wrong recipient URL (if security additions are substantial)

### Adoption Requests
- **Web push for IMAP**: Take to list to gauge interest and implementation commitment
- **Personal data portability archive**: Take to list for adoption discussion
- **Enhanced SMTP status codes**: Experimental track if Comcast continues experimentation
- **Email feedback reports**: Need multiple implementations before consideration

## Next Steps

### Implementation Requirements
- Multiple implementations needed for UID batches before last call
- OAuth profile needs implementations for testing and validation
- Web push proposal needs commitment from multiple implementers
- Auto-discovery mechanism needed to unblock OAuth profile progress

### Specification Development  
- Continue work on new auto-config format with DNS-based approach
- Develop experimental framework for SMTP status codes if industry interest continues
- Flesh out data portability archive format with additional schemas and format specifications

### Coordination Activities
- OAuth profile security review with OAuth working group during last call
- Coordinate with email core working group on SMTP registry maintenance work
- Follow up with Comcast on SMTP extensions experimentation status