On Sep 10, 2013, at 4:09 PM, Paul Wouters <[email protected]> wrote:
> On Tue, 10 Sep 2013, Paul Hoffman wrote: > >> On Sep 9, 2013, at 10:52 AM, Paul Wouters <[email protected]> wrote: >> >>> It was brought to my attention by Matthias Wimmer that we overlooked >>> an important issue with respect to the base32 generation of the base32 >>> encoded left hand side of the email address. >> >> "We" did not overlook that: as author, I made that decision completely >> purposefully. > > Perhaps documentation of that decision belonged in the Security Section > of that document? :) I'm not clear what the security consideration of this is for DANE outside of what it is for all RFC 821(+bis)(+bis)(+bis) email has been. >>> Mail servers and mail clients do not treat email addresses as >>> case-insensitive. >> >> That is sometimes-true statement. >> >>> When encoding an LHS with base32, the case matters. >> >> Yes, exactly. And so does internationalization. >> >>> Using the wrong case will cause you to not find the SMIMEA / OPENPGPKEY >>> record. >> >> Yep. And will cause you to sometimes send mail to the wrong recipient. > > I'm really not okay with a protocol where I encrypt to the wrong key > based on the case of the email address. Errr, then maybe you should not send mail with PGP or S/MIME? Seriously: this issue precedes DANE by well over a decade. >>> We should probably add a section explaining this, and perhaps suggest to >>> lowercase before base32'ing the LHS for the lookup. >> >> Yes; no. > [citation needed] We should add a note that case is preserved and that might be surprising; we should not suggest breaking RFC 821(+bis)(+bis)(+bis) in this protocol. --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
