Csaba Nagy <nagy@ecircle-ag.com> writes:
> So: don't use it as a unique identifier.
>
> On Tue, 2004-10-12 at 17:01, Jerry LeVan wrote:
> >
> > Is the "Message-ID" header field a globally unique identifer?
> >
[Isn't it awfully confusing to put your answers before the thing you're
responding to?]
Let me suggest a higher-level view of your design decision here.
You shouldn't use the message-id as a unique identifier on the general
principle that it is untrusted network data. You can never trust entities
outside your control to behave the way you expect, even if there's an
authority to back you up. They could be deficient or even hostile.
Even if you don't trust the message-id generated by external users to provide
any particular semantics it can still be useful. You can allow clients to
request a particular message by message-id for example. Just make sure you
apply the regular security checks and don't assume that because they know the
message-id they must have access to the message. And make sure your regression
tests include testing the case of having thousands of messages with identical
message-ids, even though that should never arise in practice if everything
works the way it's supposed to.
--
greg
