Hello everyone, At Posteo, we've implemented OPENPGPKEY and SMIMEA. We are a provider of email accounts (exclusively on a paid basis) with a strong focus on privacy and security.
We think it would be better for the local parts to use hashing. Our two points: - The discussion obviously came up because of trying to determine a way to find entries when users use upper and lower case characters. From our perspective, this is not a problem that these drafts can solve. - Base encoding equates to plaintext transfer and for a security feature, privacy should not be disregarded. In detail: For us it is not a question for these drafts, whether local parts should be normalised or not. The drafts complement email, and they should therefore not introduce their own interpretation of email. This runs contrary to the sense of the RFC system and would in that form presumably delay or prevent adoption of the drafts. For us it is perfectly clear that the local parts are either written the same and match, or not. If the email community thinks that there is a problem with the local parts, then that is, in my opinion, a matter for another draft. OPENPGPKEY and SMIMEA should not be used for work on a different project. Hashing of local parts is definitely a great advance over plaintext transfer in terms of security. Even if hashing was not initially intended as a security feature, it is one. In any case, it distinctly hinders the possibility of simply reading the data in DNS requests - data that could convey a lot about the communication behaviour of users. Hashing is from our perspective a necessary first step, especially when DNS requests do not occur encrypted. Of course, hashing does not protect against "decryption" - but it makes a distinct difference whether I need to make a targeted attack on a hash, or can arbitrarily search through the plaintext in a stream of data. We would strongly welcome it if the drafts were to move forward with hashing, in terms of acceptance as a genuine security feature at the service of internet users. We need as much security as possible; the Snowden revelations demonstrated this. Best regards, Patrik Am 22.07.2015 um 12:00 schrieb "Olafur Gudmundsson" <ogud at ogud.com>: Dear Colleagues The sense of the room in the IETF-93 meeting was to do do a BASE32 encoding of local part with 60 character labels, shortest label is the left most label. If you can NOT live with this path forward now is your last chance to say so. By August 1'st the chairs will instruct editors how to proceed. Warren & Olafur -- Patrik Löhr Posteo e.K. Methfesselstr. 38 10965 Berlin web <https://posteo.de> Handelsregister: Berlin-Charlottenburg · HRA 47592 B
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
