On Thu, 6 Aug 2015, Jiankang Yao wrote:
if there is a "email zone walking", the email spammer can use this feature to get the valid addrees easily and send trash emails. If we hope to prevent the spammer from getting the email address easily, the email address should be regarded as secret.
So if you use NSEC3 and base32, they need to break the NSEC3 hashing, which has various parameters to make it easier or harder, but all are basically in the range of a few days of GPU cracking. If you use NSEC3 and sha256(LHS) then the work increase is basically making a table for every 8 letter combination and dictionary names which should be far less computations than the NSEC3 breaking. And to defend your email address against this, you have to make it so it is not easilly guessable with known names and that makes it harder to convey your email address verbally to other people - the exact opposite of what you want. Also, the only current alternative for people is to push their email address plaintext to a keyserver. So even with base32, we are increasing the privacy of email addresses of openpgp users. I really do believe that the hashing is not an affective security meassure. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
