On Wed, 1 Apr 2015, Nico Williams wrote:
And requiring the private DNS key is available on all name servers
for online signing really adds a huge amount of risk to the server
in case of compromise - an attacker could make up OPENPGPKEY records.
Any dynamic lookup will have this problem.
Not a non-dns based lookup that has no private DNSKEY ?
The pointer-to-server
approach has the same problem, only at an HTTPS server instead of at a
DNS server.
Yes, in addition to not being able to tell an outage from an attack like
DNS with "indeterminate" or "bogus".
The scope of compromise can be limited in both cases (since
the online keys in the DNS case could be for just the SMIME/OPENPGP
sub-zones).
Those zones are the only ones that matter if you want to replace a PGP
key? I don't understand your point.
John L.'s regexp DFA concept doesn't have any such problems,
I guess I still don't understand where this matching engine that returns
variable answers actually lives.....
but I think it'd be rather slow for MUAs...
Slow for MUA's and MTA's don't really matter that much. Some people
greylist for an hour.
Any mail domain that chooses simply not to implement any dynamic mailbox
name canonicalization can fob off all normalization problems onto users.
Agreed, but I still don't understand how using base32 in DNS helps that
draft at all. The QNAME either matches or not. You cannot return a DNS
record that does not match the QNAME/QTYPE.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
