In your letter dated Tue, 15 Sep 2015 21:11:05 -0400 you wrote: >In addition, as Christian more or less pointed out, if the IETF >is really making a very strong commitment to privacy, creating >an easily-harvestable source of verified email addresses doesn't >seem to be a good idea. Perhaps the tradeoffs justify it, but >the document would be a lot better if that particular analysis >and set of considerations were explained. I'm curious about the attack scenario here. Assuming the DNS zone is properly protected using NSEC3, performing a dictionary attack would mean either one DNS request per try or one NSEC3 hash. I'm assuming here that NSEC3 can be made at least as expensive as any proposed hashing scheme for the LHS of the e-mail address. One DNS request is about as expensive as trying a RCPT TO on the mail server itself. So the big change is that off-line attacks become possible if off-line signing is used. On-line signing would make attacks on DNS roughly equivalent to attacks on the mail server itself.