On Thu, Jul 02, 2015 at 10:34:02AM -0400, Paul Wouters wrote:
> On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
>
> >So for me, the main obstacle is still the owner-label, which is
> >the same for both OPENPGP and SMIMEA.
>
> No one has given me feedback (positive or negative) on the "lowercase if
> ascii, normalise otherwise", then lookup base32/split or using hash,
> that was advised to me by some of the EAI people.
Works for me. I don't know which particular unicode normal form
is most appropriate, but so long as you got sound advice on that
I have no objections.
> if we do that with base32/split, I think it addresses all concerns:
>
> - no guessing / multiple lookups
> - works for non-ascii
> - works for ascii
> - works for online signing with smtp server integration
If this really were to be integrated into the SMTP infrastructure
for online signing, I would want a protocol over TCP that is not
proxied by ISP resolvers, so the SMTP server would have a better
idea of where the request is coming from. Otherwise, a large
fraction of the requests would be proxied by 8.8.8.8 and friends,
and rate limiting abusive clients becomes very difficult.
That said, if rate limiting "dictionary attack" query patterns is
not a concern, the above gives sites that don't mind the exposure
more flexibility. This is not worse than the opaque hash. Of
course email addresses that are too long to encode in a 255 octet
owner name can't have keys, but they're unlikely to be very popular
with users.
--
Viktor.
P.S.
In the mean time PHB seems to be working on some sort of comprehensive
end-to-end email architecture. Is there a possibility that his
"whole elephant" approach will have more traction than adjoining
DANE key management to an otherwise largely unchanged email toolchain?
Has anyone looked at his work in detail (I don't recall how much
has been published in detail so far).
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
