On Feb 7, 2014, at 2:49 PM, Viktor Dukhovni <[email protected]> wrote:
> On Fri, Feb 07, 2014 at 11:08:20AM -0800, Paul Hoffman wrote: > >> Those existed 15 years ago, and still do. The proposal to make >> it slightly harder for a harvester (and that's all we're suggesting) >> adds complexity and no measurable value. > > Yes, adding iterations would definitely add complexity. > > Arguably HMAC(domain, localpart) is more complex than > SHA(localpart@domain), I don't care which is used. > > Either way of computing the hash of the full address, rather than > just the local part adds no complexity, and makes off-line attacks > more difficult (per site dictionaries, rather than global dictionaries). > This is a free win. There's simply no reason not to. I have to say that I agree with Paul here. I think the epsilon increase in security is nice, but not at the cost of the additional operational complexity. However, the hashing-only approach has the nice side effect of fixing the label length. That _does_ seem to solve a problem w/o some of the additional complexity. My vote would be hashing-only approach over Base32 and HMAC. Eric _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
