On 04/11/2017 12:15 PM, Paul Wouters wrote:
On Tue, 11 Apr 2017, Alice Wonder wrote:
If the serial number for the x.509 certificate is a salt for the hash,
then spammers can not determine the validity of an e-mail address from
DNS but those who already have the certificate can use DNS to DANE
validate the certificate.
Except the whole point of this record is to publish that certificate, so
clearly the spammers have a copy of the serial number too :)
Paul
Okay I think my perspective on this is different.
Due to epilepsy, I do not drive and require more sleep than most people
and frequently must lie down. Not conductive to a good income, so I
never used S/MIME simply because I did not want to pay for certs for my
various e-mail addresses.
I tried OpenPGP but found the web of trust to be too complex for most
people I communicate with and found the procedure for revoking a private
key that may have been compromised too awkward.
I saw S/MIME with DANE as a way to use self-signed x.509 certs with
confidence (more confidence than I personally have in the CA system
where fraudulent certs are not uncommon, and where software like content
filters and superfish often insert a root authority into user's trusted
list) and saw S/MIME DANE as a way to validate those self-signed
certificates, not as a way to distribute them.
I am sorry, I misunderstood the purpose.
That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may
give the privacy I seek.
If a * wildcard works with DNSSEC (I've never tried personally tried
them) then the e-mail domain could be the certificate authority for
x.509 certificates on the domain and sign certificates for the users
that could then be DANE validated without DNS giving positive
confirmation to the existence of an address or revealing the public key
needed for a spammer to bypass the content filtering when sending
malware to random users.
That is probably a better solution than using a serial number as a hash,
and probably is easier to manage too as it only requires one DNS entry
for every user on the system.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
