On Thu, 6 Aug 2015, Jiankang Yao wrote:
if there is a "email zone walking", the email spammer can use this feature to
get the valid addrees easily and send trash emails.
If we hope to prevent the spammer from getting the email address easily, the email
address should be regarded as secret.
So if you use NSEC3 and base32, they need to break the NSEC3 hashing,
which has various parameters to make it easier or harder, but all are
basically in the range of a few days of GPU cracking.
If you use NSEC3 and sha256(LHS) then the work increase is basically
making a table for every 8 letter combination and dictionary names which
should be far less computations than the NSEC3 breaking. And to defend
your email address against this, you have to make it so it is not easilly
guessable with known names and that makes it harder to convey your email
address verbally to other people - the exact opposite of what you want.
Also, the only current alternative for people is to push their email
address plaintext to a keyserver. So even with base32, we are
increasing the privacy of email addresses of openpgp users.
I really do believe that the hashing is not an affective security
meassure.
Paul
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp