In message <[email protected]>, Andrew Sullivan writes: > On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote: > > I walk into a coffee shop. I get a address. I manage to get IPsec > > running between the server and myself because both ends are configured > > for opportunistic IPsec. > > What does that have to do with the deployment scenario I was asking > about in the Microsoft case, or the one I understood Paul to be asking > about? Those cases are entirely to do with managed infrastructure, > and the question is, _if_ you have that kind of managed infrastructure > scenario and _if_ you accept that someone could subvert your > management model (but you don't care because if they can do that then > you're screwed anyway), then is there any value in the AD bit? I > think the answer is, "Maybe," but we're never going to sort that out > if people persist with arguments about scenarios that have nothing to > do with the one under discussion. > > Yes, you should not trust the AD bit from random parts of the Internet > or opportunistic IPsec or whatever. But that's not the case we're > talking about, I think.
s/coffee shop/BYOD and access to the AD DOMAIN resources/ Should you still trust the nameservers to not corrupt DNS responses? My answer to that is NO, by default. If MS have the machines configured to do that by default they are leaving the owner of the machine exposed. > A > > -- > Andrew Sullivan > [email protected] > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
