Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Viktor Dukhovni <> Fri, 07 February 2014 01:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E6D5E1A059D for <>; Thu, 6 Feb 2014 17:48:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mRJd5YwtBd0H for <>; Thu, 6 Feb 2014 17:48:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 82D8E1A058F for <>; Thu, 6 Feb 2014 17:48:11 -0800 (PST)
Received: by (Postfix, from userid 1034) id 8D63B2AB23D; Fri, 7 Feb 2014 01:48:09 +0000 (UTC)
Date: Fri, 7 Feb 2014 01:48:09 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <07a801cf23a1$a5b62c00$f1228400$>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <07a801cf23a1$a5b62c00$f1228400$>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Feb 2014 01:48:14 -0000

On Thu, Feb 06, 2014 at 05:12:18PM -0800, Jim Schaad wrote:

> A trivial way to avoid the global dictionary is to simply hash the email
> address - that is both the local part and the domain.  This would make it
> unique for each domain.

This also works, but is twice as fast as HMAC, where as my concern
is that even HMAC is too fast.  Of course a factor of 2 is not a
real deterrent.  So I must admit that there is no compelling reason
to prefer HMAC over SHA2-224, provided the hash covers the domain.

Perhaps I should mention the fact that in order to perform the
off-line dictionary attack the attacker first has to discover a
large fraction of the domain's NSEC3 records (assuming the domain
does not provide NSEC records) and then dictionary attack the NSEC3
RRs.  Thus he at least has to perform multiple NSEC3 hash iterations
(far too few sadly to prevent off-line discovery of the most common
user names).

The iteration counts for NSEC3 are additive with respect to any
iterations we might impose on the SMIMEA lookup key, rather than
multiplicative because at any given time for a given zone all NSEC3
RRs have the same salt, and thus for each guess at a user name it
is easy to compute the SMIMEA query domain, and thus the corresponding
NSEC3 value for the current zone salt.