On Thu, 17 Jun 2004, Dave Crocker wrote:
CSA is about authorization, not authentication.
OK. But the point of using CSA as opposed to any other lookup mechanism is
it gives you authn and authz in one protocol exchange. And the other
authn mechanisms described in HNA are too unweildy for use on the scale of
the Internet.
I think that CSA is elegant and simple, but I think its specification is
being WAY overdone. Three documents to describe an enhancement to forward
and reverse DNS consistency checking?! People will get bored with the
abstract discussion of the principles of security protocol design and not
bother to read as far as the bit that explains how to implement it.
I'm afraid I'm getting a bit frustrated because I doubt this will get
anywhere near deployment.
Huh? CSA _is_ the forward DNS process. Take the EHLO domain, do a
lookup on _client._smtp.<ehlo domain> and get back the authorization
SRV.
OK, but that's different from the normal A or AAAA lookup for the bare
EHLO domain which HNA appears to describe. And "CSA is about
authorization, not authentication."
--
Tony Finch <dot(_at_)dotat(_dot_)at> http://dotat.at/