Some reasons I can think of off the top of my head: * Because emails aren't always opened within the safety of corporate controlled networks (where DNS is controlled) * Because security systems should always have fallbacks * Because such a service can be sold to other companies who aren't otherwise interested in hosting their own DNS
I don't understand the point you're going for here, or how it relates to the draft in this thread's subject line. Thanks, Tommy ________________________________ From: Rob Sayre <say...@gmail.com> Sent: Tuesday, July 16, 2019 5:10 PM To: Tommy Jensen <jensen.tho...@microsoft.com> Cc: Eric Rescorla <e...@rtfm.com>; dnsop WG <dnsop@ietf.org>; Paul Vixie <p...@redbarn.org> Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00 Hi Tommy, I also noticed that your email client rewrote the link to "The Register", a site that everyone knows, which then linked to NY Times, etc. It used the domain "nam06.safelinks.protection.outlook.com<http://nam06.safelinks.protection.outlook.com>". Why would that domain be necessary if DNS-based security worked? thanks, Rob On Tue, Jul 16, 2019 at 10:32 AM Rob Sayre <say...@gmail.com<mailto:say...@gmail.com>> wrote: On Tue, Jul 16, 2019 at 10:20 AM Tommy Jensen <jensen.tho...@microsoft.com<mailto:jensen.tho...@microsoft.com>> wrote: The link you shared indicates the problem is RC4, which was removed from TLS in 1.3 for this very reason. This doesn’t demonstrate TLS 1.3 is vulnerable; it demonstrates why adopting TLS 1.3 is so important. Yeah, that's one part of it, but some of the other approaches described are more general. thanks, Rob Thanks, Tommy ________________________________ From: DNSOP <dnsop-boun...@ietf.org<mailto:dnsop-boun...@ietf.org>> on behalf of Rob Sayre <say...@gmail.com<mailto:say...@gmail.com>> Sent: Tuesday, July 16, 2019 8:46:42 AM To: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>> Cc: dnsop WG <dnsop@ietf.org<mailto:dnsop@ietf.org>>; Paul Vixie <p...@redbarn.org<mailto:p...@redbarn.org>> Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00 On Tue, Jul 16, 2019 at 6:41 AM Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm..com>> wrote: The certs are public information, so having the certs isn't useful. Can you please be clearer about the attack you are describing? Sure, here's an article about it: <https://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww..theregister.co.uk%2F2013%2F09%2F06%2Fnsa_cryptobreaking_bullrun_analysis%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C51ca900221824198518208d70a4b34bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636989190436279112&sdata=5qVj7tNPQMSYuYKmPILW7Uws6JCtLXucxz3CbATL3Cs%3D&reserved=0>> Do you have any thoughts on that? thanks, Rob
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
