> On Apr 12, 2017, at 11:59 PM, Phil Pennock
> wrote:
>
>> I should note that one can of course implement one's SMIMEA deployment
>> in exactly this way, something along the lines of:
>>
>> *._smimecert.example.net. IN SMIMEA 2 1 1
>>
> On Apr 12, 2017, at 12:19 PM, Paul Wouters wrote:
>
>> That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may
>> give the privacy I seek.
>
> It will, but you will then have to come up with a lookup system to find
> the SMIME cert for a given user.
No
On Tue, 11 Apr 2017, Alice Wonder wrote:
That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may give
the privacy I seek.
It will, but you will then have to come up with a lookup system to find
the SMIME cert for a given user. If I want to email you without having
prior
On 04/11/2017 12:15 PM, Paul Wouters wrote:
On Tue, 11 Apr 2017, Alice Wonder wrote:
If the serial number for the x.509 certificate is a salt for the hash,
then spammers can not determine the validity of an e-mail address from
DNS but those who already have the certificate can use DNS to DANE
Hello,
This is respect to DNSSEC validation for S/MIME
When generating a hash for use in DNS, the draft for DANE/SMIME
currently only uses the username portion of the address.
The obvious (and noted) privacy implications are that someone could
discover e-mail addresses by rainbow table DNS