On Wed 2015-08-05 11:25:08 -0400, Stephen Farrell wrote: > Tempora. That on-path attacker has a far easier time reversing the > b32 than anything based on the hash. Even with DPRIVE, we don't know > how to handle the recursive to authoritative part. > > So a "putative other protocol that copies this" could well do a great > job on hiding identifiers only to be caught out by following this b32 > convention. > > I do accept that hashing doesn't make much difference for PGP or SMIME > since the DNS answer in the success case almost certainly gives the > game away, but I don't think that has to be true in general. > > The failure case may also be of interest though, with hashing, that DNS > answer doesn't immediately tell the attacker to whom I'd like to send > email. And I guess if some MUA adopts this there'll be quite a few > negative answers for quite some time, so there's a privacy difference > there I think. (Not sure if that was raised before - apologies if so.)
yep, i raised that concern too, thanks for reinforcing it :) the cost of inverting a digest is definitely more than the cost of inverting b32, but it's unlikely to be difficult for an interested attacker to invert otherwise low-entropy domain names or localparts of e-mail addresses. see djb's writeup on nsec3walker for a related example of how low the bar is for doing large-scale hashing with the kind of low-entropy input spaces found in DNS: http://dnscurve.org/nsec3walker.html It's not exactly the same problem, but a good example of how small the protection is against a motivated adversary in this context. --dkg _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
