IETF Logo Mail Archive

Re: [dane] [openpgp] The DANE draft

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 05 August 2015 19:04 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D977C1A7012 for <dane@ietfa.amsl.com>; Wed, 5 Aug 2015 12:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEEFxL849vvH for <dane@ietfa.amsl.com>; Wed, 5 Aug 2015 12:04:49 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C05A1A21AD for <dane@ietf.org>; Wed, 5 Aug 2015 12:04:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 62C64BE8A for <dane@ietf.org>; Wed, 5 Aug 2015 20:04:47 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWk9PEhLCDlI for <dane@ietf.org>; Wed, 5 Aug 2015 20:04:46 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.29.233]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 589E7BE4C for <dane@ietf.org>; Wed, 5 Aug 2015 20:04:46 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1438801486; bh=Bygvxf2VBstloHsICwYJBtf8Pyi3upD9aYL2fWa1jQE=; h=Date:From:To:Subject:References:In-Reply-To:From; b=xYHa7V0EBVV+HTSJjaa7/BZd1kdn/iPw91oPgAYwlcmpKXfr8CnxXMzrnDcpAs1cl K0X3yuoCW70MIXMcJRpVWx5nzxoPMp4C555cDBhFOWOp9z/JpOZgFKFtr61bnmPGnj cKmZAXE9xm5RsBFeLWeHzWtpnFS2zhIFZV6oe6+Q=
Message-ID: <55C25E4E.7000302@cs.tcd.ie>
Date: Wed, 05 Aug 2015 20:04:46 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: dane@ietf.org
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1507250832510.854@bofh.nohats.ca> <87bnem2xjq.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1508050331340.1451@bofh.nohats.ca> <55C1F35A.5070904@cs.tcd.ie> <B7419740-25C9-4F8D-85AE-FC6E11BCC038@vpnc.org> <55C22AD4.5010709@cs.tcd.ie> <DB1E53C6-11DF-4194-852D-776B670E2409@vpnc.org> <55C23B3D.1030502@posteo.de> <20150805183246.GQ19228@mournblade.imrryr.org>
In-Reply-To: <20150805183246.GQ19228@mournblade.imrryr.org>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/CSFo79KVbB_MY57-5G4W_AbujqM>
Subject: Re: [dane] [openpgp] The DANE draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 19:04:56 -0000

Hiya,

On 05/08/15 19:32, Viktor Dukhovni wrote:
> I don't think hashing (without salt) provides sufficient obfuscation
> to deter on-path attacks. 

Compared to b32 hashing is clearly less bad, if we're putting
user-specific identifiers in the DNS. The requirement to have a
large table and to pre-calculate that does increase the effort for
attachers. I don't think anyone has claimed that that would
deter all attackers. And even for the most capable attacker,
it would I think make it a little harder to do some kinds of
pattern matching.

And btw, I would assume use of a salt is impractical as would
any mechanism that means that DNS queries for the same thing
will differ each time. That seems more like a DNS-next-gen
thing, but maybe I'm wrong about that. Be nice if so, but I
suspect not.

S.

v2.23.0 | Report a Bug | By Email