On 05/08/15 16:12, Paul Hoffman wrote: > Wearing my author hat: I don't care between b32 and hashing. Both are > equally easy to document. However: > > On 5 Aug 2015, at 4:28, Stephen Farrell wrote: > >> So sorry to continue an argument but shouldn't this experiment be >> a more conservative about privacy just in case it ends up wildly >> successful? > > How is using the hash more conservative about privacy, except in zones > that are signed with NSEC instead of the more common NSEC3? If you > assume zones signed with NSEC3, both options are equally susceptible to > dictionary-based guessing attacks, given that the effort to create > search dictionaries for the billion of common LHS names is pretty low > even for hashes.
Tempora. That on-path attacker has a far easier time reversing the b32 than anything based on the hash. Even with DPRIVE, we don't know how to handle the recursive to authoritative part. So a "putative other protocol that copies this" could well do a great job on hiding identifiers only to be caught out by following this b32 convention. I do accept that hashing doesn't make much difference for PGP or SMIME since the DNS answer in the success case almost certainly gives the game away, but I don't think that has to be true in general. The failure case may also be of interest though, with hashing, that DNS answer doesn't immediately tell the attacker to whom I'd like to send email. And I guess if some MUA adopts this there'll be quite a few negative answers for quite some time, so there's a privacy difference there I think. (Not sure if that was raised before - apologies if so.) S. > > --Paul Hoffman > > _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
