Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Mark Andrews writes: > > In message <[EMAIL PROTECTED]>, Pekka Savola write > s: > > On Fri, 14 Nov 2008, Mark Andrews wrote: > > >> How does an application do "accept if signed and validated by DNSSEC"? > > > > > > You validate the CERT RRset using the technique

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Pekka Savola writes: > On Fri, 14 Nov 2008, Mark Andrews wrote: > >> How does an application do "accept if signed and validated by DNSSEC"? > > > > You validate the CERT RRset using the techniques in RFC > > 4033, 4034 and 4035. If the answer is "secure" th

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

On Fri, 14 Nov 2008, Mark Andrews wrote: How does an application do "accept if signed and validated by DNSSEC"? You validate the CERT RRset using the techniques in RFC 4033, 4034 and 4035. If the answer is "secure" then it was signed and validated. You the match offere

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Pekka Savola writes: > On Fri, 14 Nov 2008, Mark Andrews wrote: > > In message > > <[EMAIL PROTECTED]>, Tony F > > inch writes: > >> You also need the server to provide a verifiable TLS certificate. > >> The vast majority of them are not. This problem is perhaps

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

On Fri, 14 Nov 2008, Mark Andrews wrote: In message <[EMAIL PROTECTED]>, Tony F inch writes: You also need the server to provide a verifiable TLS certificate. The vast majority of them are not. This problem is perhaps even harder to fix than the lack of DNSSEC. Just use DNSSEC and CE

Re: SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Tony F inch writes: > You also need the server to provide a verifiable TLS certificate. The vast > majority of them are not. This problem is perhaps even harder to fix than > the lack of DNSSEC. Just use DNSSEC and CERT records to do that. If self

SMTP+TLS to MXs, was Re: Comments on Draft IRTF ASRG DNSBL - 07

On Thu, 13 Nov 2008, Mark Andrews wrote: >In message <[EMAIL PROTECTED]>, Dave CROCKER writes: >>Mark Andrews wrote: >>>In message <[EMAIL PROTECTED]>, Tony Finch writes: SMTP over TLS to an MX does NOT protect against man in the middle attacks. >>> >>> It does when you turn on DNSSEC >>

Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Dave CROCKER writes: > > > Mark Andrews wrote: > > In message <[EMAIL PROTECTED]>, Ton > y Fi > > nch writes: > >> SMTP over TLS to an MX does NOT protect against man in the middle attacks. > > > > It does when you turn on DNSSEC > > Perhaps I'm not underst

Re: Comments on Draft IRTF ASRG DNSBL - 07

Mark Andrews wrote: In message <[EMAIL PROTECTED]>, Tony Fi nch writes: SMTP over TLS to an MX does NOT protect against man in the middle attacks. It does when you turn on DNSSEC Perhaps I'm not understanding, but I think you just confirmed that Tony's statement was correct. d/ --

Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED]>, Tony Fi nch writes: > On Wed, 12 Nov 2008, Mark Andrews wrote: > > > > It also stops the small sites being able to use cryptography to stop man > > in the middle attacks as they are forced to insert a middle man. > SMTP over TLS to an MX does NOT protect against ma

Re: Comments on Draft IRTF ASRG DNSBL - 07

On Wed, 12 Nov 2008, Mark Andrews wrote: > > It also stops the small sites being able to use cryptography to stop man > in the middle attacks as they are forced to insert a middle man. SMTP over TLS to an MX does NOT protect against man in the middle attacks. Tony. -- f.anthony.n.finch <[EMAIL

Re: Comments on Draft IRTF ASRG DNSBL - 07

On Tue, Nov 11, 2008 at 02:57:32PM -0800, Randy Presuhn wrote: > This may be due to misuse of DNSxL technology or other reputation > systems, but if this small sample is any indication of the > extent to which the technology is being used inappropriately > or incorrectly, it suggests that significa

Re: Comments on Draft IRTF ASRG DNSBL - 07

On 11/12/08 1:03 AM, Dave CROCKER wrote: Why? What are the specific aspects of this specification that fail to qualify for Proposed Standard? This is precisely what I want to know. What changes to the specification will fix these deficiencies? What he said. Eliot

Re: Comments on Draft IRTF ASRG DNSBL - 07

Randy Presuhn wrote: "Informational" makes sense to me at this time. Why? What are the specific aspects of this specification that fail to qualify for Proposed Standard? What changes to the specification will fix these deficiencies? d/ -- Dave Crocker Brandenburg InternetWorking

Re: Comments on Draft IRTF ASRG DNSBL - 07

In message <[EMAIL PROTECTED] >, Jonathan Curtis writes: > > 2. The impact of DNSxL's when applied on Inbound Email Servers is significant > with very little collateral damage. A good estimate is that over 70% of all sp > am email is prevented by the application of DNSxBL's, sparing many service

Re: Comments on Draft IRTF ASRG DNSBL - 07

Hi - > From: "Jonathan Curtis" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, November 11, 2008 12:49 PM > Subject: Comments on Draft IRTF ASRG DNSBL - 07 ... > 2. The impact of DNSxL's when applied on Inbound Email Servers > is significant with very litt

Comments on Draft IRTF ASRG DNSBL - 07

Having spent 13 years managing abuse (Spam/Phishing/Botnets) within a large ISP organization, 5 to 6 years in a leadership position of the Messaging Anti-Abuse Working Group and active member of the Canadian National Cyber-Forensics Training Alliance, I can say that DNSxL's are a critical part