[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNUnet-developers] NSEC5
|
From: |
Christian Grothoff |
|
Subject: |
Re: [GNUnet-developers] NSEC5 |
|
Date: |
Wed, 4 Jan 2017 18:57:05 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
I've been aware of the theorem for a while. The complete theorem is a
bit more complex, as this is about NXDOMAIN *and* zone enumeration.
Basically, you can choose to support NXDOMAIN and not have zone
enumeration and then need to do online signing, or you can have
NXDOMAIN, support offline signing and allow zone enumeration, OR you can
support offline signing, not have zone enumeration, and NOT support
NXDOMAIN.
In GNS, we simply do not support NXDOMAIN.
On 01/04/2017 05:22 PM, Jeff Burdges wrote:
>
> Just learned there is a theorem that protecting against zone enumeration
> requires some sort of "online" crypto, assuming you need authentication
> or osmething. Ask if you want me to try to find a reference.
>
>
> It came up in a talk on NSEC5 which requires sharing the secret key for
> a verifiable random function (VRF) with the name server, but not the
> zone key.
>
> http://eprint.iacr.org/2016/083
> http://www.cs.bu.edu/~goldbe/papers/nsec5.html
>
>
> Not sure any of this stuff would be relevant for GNS type schemes.
>
>
>
>
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
>
signature.asc
Description: OpenPGP digital signature