Hi, John Levine writes:
> I see that in dane-openpgpkey, the name on the record is > > <hash>._openpgpkey.domain > > and in dane-smime, the name is: > > <hash>._smimecert.domain > > These are two different names for the same mailbox. Since they use > the same hash, wouldn't it be a better idea for both of them and any > future RRs that use hashed mailboxes to use the same name? > > <hash>._mailbox.domain > > There's no confusion between the two, since they're different RR > types. The tree walking attacks are no different, since the attacker > knows the small set of _token names that might be in use either way. > being able to delegate subdomains for "_openpgpkey" and "_smimecert" adds operational flexibility. Already during test implementations of the drafts, I found it helpful to be able to delegate the two domains to a different set of nameservers, into differnt zones with different ACLs (and TSIG-Keys for dynamic updating owned by different people). I see that in corporate environments PGP and S/MIME are managed by separate teams/entities (S/MIME being the "official" supported protocol, PGP being the "defacto" used protocol by the IT team). Having different domains to delegate really would ease implementation in some scenarios. The price for the added flexibility is not too high. Carsten Strotmann -- Sent with my mu4e _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
