-----Original Message----- From: Brian E Carpenter [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2008 12:09 AM To: General Area Review Team Cc: Tim Polk; [EMAIL PROTECTED]; Tony Hansen Subject: Gen-ART LC review of draft-cain-post-inch-phishingextns-04
I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html). Please resolve these comments along with any other Last Call comments you may receive. Document: draft-cain-post-inch-phishingextns-04.txt Reviewer: Brian Carpenter Review Date: 2008-05-30 IETF LC End Date: 2008-06-20 IESG Telechat date: (if known) Summary: Ready, one question Comments: This draft seems to be in good shape. Had you considered including actual DNS entries with the DomainData? I understand that not only may the fraudulent domain be transitory, but also its actual IP address may be transitory too. So logging the observed A, AAAA or CNAME entries within the DomainData could be of forensic value. --------------------- Brian, Thank you for your review. To your question, we have mostly been trying to identify the name servers attached to a domain name as the domain goes about its phishing business. So we structured the XML field using the (more or less) standard fields in CRISP, since those are the things we think we want to search on. A reporter could add almost anything they wanted, tho, in one of the big text block fields. We should probably add an 'other' at the end of the DomainData so we could capture other things we didn't think of -- like CNAME data. Although we don't use it now, who knows about the future. Thanks again for the review. Pat _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
