Upload
sophia-stewart
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Policy Considerations
Phill Hallam Baker
We have a choice
Choice 1
If it works don’t break it
Choice 2
Do the job right
An Architecture
A master plan
If we have to change• Layered Architecture
• Reusable Policy Statements
• Reusable discovery strategy
You can’t have securitywithout security policy
SSL
• Should I use security?
• HTTPS://
S/MIME, PGP
• No policy layer
• Authentication has limited use
STARTTLS
• The best email encryption we have
• Should be used 100%
• Vulnerable to a downgrade attack
We can fix discovery
Without changing the DNS infrastructure
Or waiting for it to change
Three step discovery1) policy = lookup (TXT, "_dkim.alice.example.com")
IF policy <> NULL THEN RETURN policy
2) pointer = lookup (PTR, “alice.example.com")IF pointer == NULL THEN RETURN NULL
3) policy = lookup (TXT, "_dkim." + pointer)return policy
To specify a wildcard use:*.example.com PTR _default.example.com
Choice 1 is best
Don’t boil the ocean
Unless we have to
Don’t end up with