On 09/01/2019 01:01, Viruthagiri Thirumavalavan wrote:
So explain what your proposal gives us that DNSSEC+STARTTLS
doesn't give us?
/mail.example.com <http://mail.example.com> connecting to
mail.yahoo.com <http://mail.yahoo.com> with its IP address/
/yahoo.com <http://yahoo.com> => 220 mail.yahoo.com
<http://mail.yahoo.com> Yahoo ESMTP Service Ready/
/example.com <http://example.com> => EHLO mail.example.com
<http://mail.example.com>/
/yahoo.com <http://yahoo.com> => 250-Hello, nice to meet you,
mail.example.com <http://mail.example.com>/
/yahoo.com <http://yahoo.com> => 250-SIZE 1000000/
/yahoo.com <http://yahoo.com> => 250-8BITMIME/
/yahoo.com <http://yahoo.com> => 250 STARTTLS/
/example.com <http://example.com> => STARTTLS/
/yahoo.com <http://yahoo.com> => 220 Go ahead/
/Key exchange happens here and the rest of the email part is encrypted /
/
/
Are you saying all of those parts can be encrypted via DNSSEC+STARTTLS?
No they can't.
BUT, the bit you seem to be missing is that all that info is still
visible to a MITM attack even with your proposal. Anyone else can
connect to the same IP/port that they've snooped you connecting to, and
see the same info, and that info isn't exactly secret anyway.
--
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp