On Thu, Feb 13, 2014 at 06:19:15PM +0000, Osterweil, Eric wrote:
> > Either way of computing the hash of the full address, rather than
> > just the local part adds no complexity, and makes off-line attacks
> > more difficult (per site dictionaries, rather than global dictionaries).
> > This is a free win. There's simply no reason not to.
>
> I have to say that I agree with Paul here. I think the epsilon
> increase in security is nice, but not at the cost of the additional
> operational complexity. However, the hashing-only approach has
> the nice side effect of fixing the label length. That _does_ seem
> to solve a problem w/o some of the additional complexity. My vote
> would be hashing-only approach over Base32 and HMAC.
In an off-list IM discussion, Paul H. and I reached consensus on
local-part only hashing. His argument is based on the introduction
of root zone DNAME RRs that create equivalence between large subtrees
of the DNS namespace. Users will likely expect these to result in
equivalence of email addresses, ... so having SMIMEA lookup labels
that work relative to multiple equivalent domain FQDNs is then a
requirement.
So I withdraw the suggestion to salt the lookup key with the domain.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
