Hiya, On 05/08/15 19:32, Viktor Dukhovni wrote: > I don't think hashing (without salt) provides sufficient obfuscation > to deter on-path attacks.
Compared to b32 hashing is clearly less bad, if we're putting user-specific identifiers in the DNS. The requirement to have a large table and to pre-calculate that does increase the effort for attachers. I don't think anyone has claimed that that would deter all attackers. And even for the most capable attacker, it would I think make it a little harder to do some kinds of pattern matching. And btw, I would assume use of a salt is impractical as would any mechanism that means that DNS queries for the same thing will differ each time. That seems more like a DNS-next-gen thing, but maybe I'm wrong about that. Be nice if so, but I suspect not. S. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
