Hi, On 9/16/15 12:14 PM, Philip Homburg wrote: > In your letter dated Tue, 15 Sep 2015 21:11:05 -0400 you wrote: >> In addition, as Christian more or less pointed out, if the IETF >> is really making a very strong commitment to privacy, creating >> an easily-harvestable source of verified email addresses doesn't >> seem to be a good idea. Perhaps the tradeoffs justify it, but >> the document would be a lot better if that particular analysis >> and set of considerations were explained. > I'm curious about the attack scenario here. > > Assuming the DNS zone is properly protected using NSEC3, performing a > dictionary attack would mean either one DNS request per try or one NSEC3 hash. > I'm assuming here that NSEC3 can be made at least as expensive as any > proposed hashing scheme for the LHS of the e-mail address. When this is true you may be right. And I state this as someone who has deployed DNSSEC. Most haven't. That's a pity. > One DNS request is about as expensive as trying a RCPT TO on the mail server > itself. Perhaps but you seem to think it's an either/or thing. It seems likely that once they're there, someone's going to try to get at them. We simply can't expect otherwise. Eliot
Attachment:
signature.asc
Description: OpenPGP digital signature