In article <[email protected]> you write: >The obvious (and noted) privacy implications are that someone could >discover e-mail addresses by rainbow table DNS queries and/or zone walking.
There are a lot easier ways to find e-mail addresses, and the problem of probing servers to see if addresses are valid has been around for 20 years. To the extent that we worry about it at all, the mail community has a lot of countermeasures that we needn't rehash here. >S/MIME makes use of x.509 certificates, so I suggest using the serial >number from the x.509 certificate as a salt with the username before >taking the hash. Uh, what? If you already have the cert, why do you need to do the lookup? And if you don't have the cert, where do you get the salt? >One of the things I worry about is spammers discovering valid e-mail >addresses through the DANE S/MIME and then using the public key of that >user to send encrypted malware that can not be filtered on the SMTP >servers because it is hidden. This is not a new or particularly interesting concern. Many people have noted that with encrypted mail, all of the spam body checks have to happen after it's decrypted. Malware signatures are just one example of that. R's, John _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
