IETF Logo Mail Archive

Re: [dane] [openpgp] The DANE draft

Patrick Ben Koetter <p@sys4.de> Wed, 05 August 2015 13:11 UTC

Return-Path: <p@sys4.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB9D1A0377 for <dane@ietfa.amsl.com>; Wed, 5 Aug 2015 06:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QGGytcSPhA8L for <dane@ietfa.amsl.com>; Wed, 5 Aug 2015 06:11:26 -0700 (PDT)
Received: from mail.sys4.de (mail.sys4.de [IPv6:2001:1578:400:111::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ABDD1A0276 for <dane@ietf.org>; Wed, 5 Aug 2015 06:11:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sys4.de; h= in-reply-to:content-transfer-encoding:content-disposition :content-type:content-type:mime-version:references:message-id :subject:subject:from:from:date:date; s=mail201310; t= 1438780282; x=1440594683; bh=21GF47jiNk/1wCiAZ7EKZOlCOGuhU3xt+/j 4yXk1hbM=; b=NHJmnXU7bZWqdhSB02OWk5Pqs/Btqk3s2qDY01HcoFrJv7FYV0H A5m9GLqMXz1eeJEj3LMJPkQ6tMIr8P5SrrQ3g7dtLwp6PhBTgwj1CB4Dqofq6hDm v7gTw9sLiuVjSQOoBSKJWOf6CsIEM389uazqe1r2yAZwGYZXHovfgzngv7JZXF+S kIDzategDKyEqFXBA7LlCaZA8wsVoQT/B3p/61mcpIGI2qs8AMKQCB0mGsSqXT4n xqyXE4RV24qHbT3yW0KQOy9797NQiXnJxJcQgb8oZeabY89q9lx1NtbUBGtdkfon WRLwSBnMhNdrrndopZu5btzJ4pKK5KTypZA==
X-Virus-Scanned: Debian amavisd-new at mail.sys4.de
Received: from sys4.de (ppp-88-217-18-155.dynamic.mnet-online.de [88.217.18.155]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sys4.de (Postfix) with ESMTPSA id 3mmYHZ5FbZzDS for <dane@ietf.org>; Wed, 5 Aug 2015 15:11:22 +0200 (CEST)
Date: Wed, 05 Aug 2015 15:11:21 +0200
From: Patrick Ben Koetter <p@sys4.de>
To: dane@ietf.org
Message-ID: <20150805131120.GA12058@sys4.de>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1507250832510.854@bofh.nohats.ca> <87bnem2xjq.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1508050331340.1451@bofh.nohats.ca> <55C1F35A.5070904@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <55C1F35A.5070904@cs.tcd.ie>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/udcutl1SyYtFp-uoe3gfNf1e3gA>
Subject: Re: [dane] [openpgp] The DANE draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 13:11:28 -0000

* Stephen Farrell <stephen.farrell@cs.tcd.ie>:
> 
> 
> On 05/08/15 09:14, Paul Wouters wrote:
> >>
> >>
> >> I have no strong preference for base32 vs. digested localpart for the
> >> hostname.  Digested localparts require a little bit more work to invert
> >> than base32, but given the low entropy of typical normalized localparts,
> >> they don't provide a lot of protection against a determined attacker.
> > 
> > And as clearly stated, were never meant to provide security.
> 
> Hmm.
> 
> With no hats, I gotta say I prefer the harder to invert local part
> (i.e. hashed) to the reversible one (b32).
> 
> If this experiment ends up successful, then I think we'll be setting
> a precedent for other per-user identifiers to be used as part of a
> DNS name so I do not believe that arguments about this aspect ought
> be decided solely based on PGP or SMIME or DANE. We should also
> consider that some other protocol is highly likely to follow what
> seems to have worked (just as _blah.example.com has been mimicked)
> and where we don't now know the privacy consequences of copying
> the pattern we're setting here.
> 
> For that reason, I really would prefer that we stick to the hash and
> not go for the reversible per-user identifier.

ACK

p@rick


-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

v2.23.0 | Report a Bug | By Email