Phill,
At 06:38 AM 3/4/2004, Hallam-Baker, Phillip wrote:
> The SMTP clients and servers exchange that information during
> the EHLO
> session of the SMTP transaction. Why do you need to advertise
> that via DNS?
There is a downgrade attack. The parties do not know
that the other accepts TLS. This means that an active man
in the middle attack could be used to prevent the session
upgrading to TLS
I don't think we should worry about active man-in-the-middle attacks
against antispam mechanisms. It seems like a lot of work to get a
relatively small effect. Besides that, even if TLS were generally used
between MTAs, it would not be universal. I think at best, TLS would
introduce a new class of mail, i.e. mail from authenticated smtp
senders. So the m-i-m attack would serve only to downgrade particular mail
and never succeed in upgrading it.
Mark
Of course if you do not have DNSSEC the same argument
could be made against DNS
> Leaving all of this aside, how will the use of TLS with SMTP help
> resolve the spam problem?
It is just another authentication mechanism, very similar to
CallerID/SPF in features offered. But it does have a much higher
barrier to entry - for the authentication to be useful you need
trustworthy third parties.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg