policy considerations phill hallam baker. we have a choice
Post on 18-Jan-2016
215 Views
Preview:
TRANSCRIPT
Policy Considerations
Phill Hallam Baker
We have a choice
Choice 1
If it works don’t break it
Choice 2
Do the job right
An Architecture
A master plan
If we have to change• Layered Architecture
• Reusable Policy Statements
• Reusable discovery strategy
You can’t have securitywithout security policy
SSL
• Should I use security?
• HTTPS://
S/MIME, PGP
• No policy layer
• Authentication has limited use
STARTTLS
• The best email encryption we have
• Should be used 100%
• Vulnerable to a downgrade attack
We can fix discovery
Without changing the DNS infrastructure
Or waiting for it to change
Three step discovery1) policy = lookup (TXT, "_dkim.alice.example.com")
IF policy <> NULL THEN RETURN policy
2) pointer = lookup (PTR, “alice.example.com")IF pointer == NULL THEN RETURN NULL
3) policy = lookup (TXT, "_dkim." + pointer)return policy
To specify a wildcard use:*.example.com PTR _default.example.com
Choice 1 is best
Don’t boil the ocean
Unless we have to
Don’t end up with
top related