On Wed 2015-08-05 11:25:08 -0400, Stephen Farrell wrote:
Tempora. That on-path attacker has a far easier time reversing the
b32 than anything based on the hash. Even with DPRIVE, we don't know
how to handle the recursive to authoritative part.
So a "putative other protocol that copies this" could well do a great
job on hiding identifiers only to be caught out by following this b32
convention.
I do accept that hashing doesn't make much difference for PGP or SMIME
since the DNS answer in the success case almost certainly gives the
game away, but I don't think that has to be true in general.
The failure case may also be of interest though, with hashing, that DNS
answer doesn't immediately tell the attacker to whom I'd like to send
email. And I guess if some MUA adopts this there'll be quite a few
negative answers for quite some time, so there's a privacy difference
there I think. (Not sure if that was raised before - apologies if so.)
yep, i raised that concern too, thanks for reinforcing it :)
the cost of inverting a digest is definitely more than the cost of
inverting b32, but it's unlikely to be difficult for an interested
attacker to invert otherwise low-entropy domain names or localparts of
e-mail addresses.
see djb's writeup on nsec3walker for a related example of how low the
bar is for doing large-scale hashing with the kind of low-entropy input
spaces found in DNS:
http://dnscurve.org/nsec3walker.html
It's not exactly the same problem, but a good example of how small the
protection is against a motivated adversary in this context.
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp