Re: [dane] Improving DANE S/MIME Privacy

> On Apr 12, 2017, at 11:59 PM, Phil Pennock > wrote: > >> I should note that one can of course implement one's SMIMEA deployment >> in exactly this way, something along the lines of: >> >> *._smimecert.example.net. IN SMIMEA 2 1 1 >>

Re: [dane] Improving DANE S/MIME Privacy

> On Apr 12, 2017, at 12:19 PM, Paul Wouters wrote: > >> That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may >> give the privacy I seek. > > It will, but you will then have to come up with a lookup system to find > the SMIME cert for a given user. No

Re: [dane] Improving DANE S/MIME Privacy

On Tue, 11 Apr 2017, Alice Wonder wrote: That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may give the privacy I seek. It will, but you will then have to come up with a lookup system to find the SMIME cert for a given user. If I want to email you without having prior

Re: [dane] Improving DANE S/MIME Privacy

On 04/11/2017 12:15 PM, Paul Wouters wrote: On Tue, 11 Apr 2017, Alice Wonder wrote: If the serial number for the x.509 certificate is a salt for the hash, then spammers can not determine the validity of an e-mail address from DNS but those who already have the certificate can use DNS to DANE

[dane] Improving DANE S/MIME Privacy

Hello, This is respect to DNSSEC validation for S/MIME When generating a hash for use in DNS, the draft for DANE/SMIME currently only uses the username portion of the address. The obvious (and noted) privacy implications are that someone could discover e-mail addresses by rainbow table DNS