Murray S. Kucherawy wrote:
So I'll switch ATPS to what TPA did and use SHA1+base32, which
constrains the encoding to 32 bytes just like MD5 and isn't that
much more expensive but is definitely more palatable.
This might suggest then the ATPS extension for ADSP might need
something like a DKIM's k= for the _adsp._domainkey.author-domain record:
atps=y; k=md5; <-- easy, but not IETF recommended
atps=y; k=murray; <-- SHA1+base32, maybe IETF recommended
atps=y; k=future;
in fact, you might as well go the extra mile with a plain text:
atps=y; k=text;
Because IMHO, we don't have to waste time with the inevitable - how
hashing doesn't hide anything against anyone we are worry about, but
increases the complexity and management for the average person.
Literal storage is better in my view because most domains are not
going to subject their users to extremely long names. As a side
note: the WebSocket WG people are going through a similar issue right
now with complaints of useless complexity with its hashed ping/pong
handshaking that doesn't solve any security hacking attempt whatsoever
but made it more complex for application developers to implement.
Using k= as suggested above may allow showing how ATPS early adopters
want to do this during the experimentation phase.
--
HLS
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops