ietf
[Top] [All Lists]

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

2015-03-02 12:45:35
On Mon, Mar 02, 2015 at 01:35:29PM -0500, John C Klensin wrote:

but we can prevent downgrade attacks from succeeding.

If the MTA implements opportunistic DANE TLS, and usable TLSA
records *are* published, then it MUST use STARTTLS and
authenticate the peer via said TLSA records.

http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-2.2

Victor,

[ Well known details elided. ]

Neither DNSSEC nor DANE prevent or detect
those attacks.  They may actually be harmful if they give the
user a false sense of security.

Since the user is not around for MTA-to-MTA SMTP transmission there
is no opportunity for any false sense of security.  So I object to
a characterization of improved hop by hop transport security as
"harmful".  This is not the thread to deep dive into that.

-- 
        Viktor.

<Prev in Thread] Current Thread [Next in Thread>