ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] RE: 3b. SMTP Session Verification - STARTTLS

2004-03-04 07:45:39
from [Hallam-Baker, Phillip] [Permanent Link] 
The SMTP clients and servers exchange that information during 
the EHLO 
session of the SMTP transaction. Why do you need to advertise 
that via DNS?


There is a downgrade attack. The parties do not know
that the other accepts TLS. This means that an active man
in the middle attack could be used to prevent the session
upgrading to TLS

Of course if you do not have DNSSEC the same argument 
could be made against DNS


Leaving all of this aside, how will the use of TLS with SMTP help 
resolve the spam problem?


It is just another authentication mechanism, very similar to
CallerID/SPF in features offered. But it does have a much higher
barrier to entry - for the authentication to be useful you need
trustworthy third parties.

                Phill

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 3b. SMTP Verification - Reputation Systems and their Problems, Eugene Crosser
Next by Date:  Re: [Asrg] Its all over for Challenge Response, Alan DeKok
Previous by Thread:  [Asrg] Request for MS CID XML samples..., Barry Shein
Next by Thread:  [Asrg] RE: 3b. SMTP Session Verification - STARTTLS, Mark Baugher
Indexes:  [Date] [Thread] [Top] [All Lists]