[Top] [All Lists]


2008-10-27 22:54:08

--On Monday, October 27, 2008 3:03 PM +0000 Tony Finch <dot(_at_)dotat(_dot_)at> wrote:

The same problem applies to the MX mail domain -> hostname
mapping, where TLS is insecure because authenticates the
target not the source.

Absolutely. My comment about DNSSEC referred only to increasing the odds that the MX target list specified by the administrator of the mail domain was the same as the one that was received by the remove SMTP server. Obviously, I hope, if that information is bogus or the environment was compromised in some other way --some way that could be detected by properly structured CA-based certs-- DNSSEC would not help and would, indeed, not add tremendous value. But first one has to find a server before one can validate it and, for that, we are pretty dependent on the DNS.


<Prev in Thread] Current Thread [Next in Thread>