-----Original Message-----
From: Brian E Carpenter [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 30, 2008 12:09 AM
To: General Area Review Team
Cc: Tim Polk; [EMAIL PROTECTED]; Tony Hansen
Subject: Gen-ART LC review of draft-cain-post-inch-phishingextns-04

I have been selected as the General Area Review Team (Gen-ART) reviewer
for this draft (for background on Gen-ART, please see
http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-cain-post-inch-phishingextns-04.txt
Reviewer: Brian Carpenter
Review Date: 2008-05-30
IETF LC End Date: 2008-06-20
IESG Telechat date: (if known)

Summary: Ready, one question

Comments: 

This draft seems to be in good shape. 

Had you considered including actual DNS entries with the 
DomainData? I understand that not only may the fraudulent
domain be transitory, but also its actual IP address may
be transitory too. So logging the observed A, AAAA or CNAME
entries within the DomainData could be of forensic value.



---------------------

Brian, 

Thank you for your review.
 
To your question, we have mostly been trying to identify the name servers 
attached to a domain name as the domain goes about its phishing business.
So we structured the XML field using the (more or less) standard fields in 
CRISP, since those are the things we think we want to search on.
A reporter could add almost anything they wanted, tho, in one of the big
text block fields. We should probably add an 'other' at the end of the 
DomainData
so we could capture other things we didn't think of -- like CNAME data. Although
we don't use it now, who knows about the future.

Thanks again for the review.
Pat





_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art

Reply via email to