I see that in dane-openpgpkey, the name on the record is
<hash>._openpgpkey.domain
and in dane-smime, the name is:
<hash>._smimecert.domain
These are two different names for the same mailbox. Since they use
the same hash, wouldn't it be a better idea for both of them and any
future RRs that use hashed mailboxes to use the same name?
<hash>._mailbox.domain
There's no confusion between the two, since they're different RR
types. The tree walking attacks are no different, since the attacker
knows the small set of _token names that might be in use either way.
I expect we will end up with conventional kludges to deal with the
reality that systems treat mailbox names as case independent, e.g.,
publish the hash of the name as normally capitalized, but also publish
a CNAME at the hash of the name with everything in lower case. (This
doesn't work very well for non-ASCII names. It's a kludge, but like
all kludges, it'll work better in practice than in theory.) With one
name, we only need to do one kludge per mailbox, rather than the
product of the number of mailboxes and the number of RR types.
R's,
John
PS: The payment record draft that showed up a few days ago uses _pmta,
but again, same mailbox, should be at the same name.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
