On 05/08/15 16:12, Paul Hoffman wrote:
Wearing my author hat: I don't care between b32 and hashing. Both are
equally easy to document. However:
On 5 Aug 2015, at 4:28, Stephen Farrell wrote:
So sorry to continue an argument but shouldn't this experiment be
a more conservative about privacy just in case it ends up wildly
successful?
How is using the hash more conservative about privacy, except in zones
that are signed with NSEC instead of the more common NSEC3? If you
assume zones signed with NSEC3, both options are equally susceptible to
dictionary-based guessing attacks, given that the effort to create
search dictionaries for the billion of common LHS names is pretty low
even for hashes.
Tempora. That on-path attacker has a far easier time reversing the
b32 than anything based on the hash. Even with DPRIVE, we don't know
how to handle the recursive to authoritative part.
So a "putative other protocol that copies this" could well do a great
job on hiding identifiers only to be caught out by following this b32
convention.
I do accept that hashing doesn't make much difference for PGP or SMIME
since the DNS answer in the success case almost certainly gives the
game away, but I don't think that has to be true in general.
The failure case may also be of interest though, with hashing, that DNS
answer doesn't immediately tell the attacker to whom I'd like to send
email. And I guess if some MUA adopts this there'll be quite a few
negative answers for quite some time, so there's a privacy difference
there I think. (Not sure if that was raised before - apologies if so.)
S.
--Paul Hoffman
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp