From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QllHC-00042X-3E for bitcoin-development@lists.sourceforge.net; Tue, 26 Jul 2011 17:18:38 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of bluematt.me designates 208.79.240.5 as permitted sender) client-ip=208.79.240.5; envelope-from=matt@bluematt.me; helo=smtpauth.rollernet.us; Received: from smtpauth.rollernet.us ([208.79.240.5]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1QllHB-0003cJ-6v for bitcoin-development@lists.sourceforge.net; Tue, 26 Jul 2011 17:18:38 +0000 Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 7BAB6594008 for ; Tue, 26 Jul 2011 10:18:17 -0700 (PDT) Received: from mail.bluematt.me (mail.bluematt.me [IPv6:2001:470:9ff2:2::13]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @bluematt.me) by smtpauth.rollernet.us (Postfix) with ESMTPSA for ; Tue, 26 Jul 2011 10:18:17 -0700 (PDT) Received: from [IPv6:2001:470:9ff2:1:2c0:caff:fe33:858b] (unknown [IPv6:2001:470:9ff2:1:2c0:caff:fe33:858b]) by mail.bluematt.me (Postfix) with ESMTPSA id 8972C2D9 for ; Tue, 26 Jul 2011 19:18:26 +0200 (CEST) From: Matt Corallo To: Rick Wesson In-Reply-To: References: <1311644156.29866.4.camel@Desktop666> <1311678417.21495.9.camel@Desktop666> <1311691885.23041.2.camel@Desktop666> <1311697476.23041.7.camel@Desktop666> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-WJnYKX2iqWswXzvVcRXC" Message-ID: <1311700678.23041.13.camel@Desktop666> Mime-Version: 1.0 Resent-From: Matt Corallo Resent-To: bitcoin-development Date: Tue, 26 Jul 2011 19:18:27 +0200 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 1ee.4e2ef6d9.26ae0.0 Resent-Message-Id: <20110726171817.7BAB6594008@smtpauth.rollernet.us> Resent-Date: Tue, 26 Jul 2011 10:18:17 -0700 (PDT) X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1QllHB-0003cJ-6v Subject: Re: [Bitcoin-development] bitcoin DNS addresses X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 17:18:38 -0000 --=-WJnYKX2iqWswXzvVcRXC Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2011-07-26 at 09:50 -0700, Rick Wesson wrote: > [snip] >=20 > > I totally agree, however I don't think DNS-based resolving is a good > > idea here. HTTPS does have several advantages over a DNSSEC-based > > solution without any significant drawbacks that I can see. >=20 > To restate your (con dnssec) points: > o DNS resolution of bitcoin addresses is bad because of potential > MITM attacks > o DNSSEC is not a security measure for mitigating DNS resolution of > bitcoin addresses > because the application would require its own dnssec enabled stub r= esolver That is one point, but yes. >=20 > Please restate > o HTTPS is your preferred method for resolution because? Because it allows for the giving of different addresses to each client based on IP much easier. Its possible with DNS by setting TTL to 0 and hoping that Bitcoin clients will be using their own resolver, but that is far from guaranteed. Additionally, HTTPS stuff has already been coded and implemented, so there's that... Frankly, HTTPS' advantages are very small here, but since they exist, and DNS has no advantages that I can see, I don't see any reason to go with DNS here. I much prefer using a HTTPS library (of which there are many which have had much more thorough security audits) than a DNSSEC-implementing DNS recursion library with the root trust anchors and root servers built-in (are there any?). Maybe I'm missing something here? Matt --=-WJnYKX2iqWswXzvVcRXC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAABAgAGBQJOLva8AAoJEBrh01BD4I5UM4UP/jiW/khDeyV0S+9YZEO9GcTV 8wAVmohWAMcYRhFwdT4Gsg6hRBhj5ztsIqeN25ZDdSdUYMs9ZxzPIaXDeMezSjvu ytsLtcX9LIPYmTZTgxmA8y2x9ZNkMYa3epawvUiONvofUFGfePFDhThExZyCiGH5 nK01dsa/LyMZuOuZXwb7zJUCAU4F4tsfax+VAYnnO0qNS9fkQwrfNYpzKmE1P4/E HR+hq2tTpfCHWReGN+Vnq/nc2axqT0ZmGGGkr5YOl0LRvYACeXq9PabQDu8eEDWd aXUGWXS8MnnVzeh0VQAWgSM7fzP0MxrlWYXSYf3oKn91vgJ/3syEBc3i0HtQiNAV QiqXgerWd2bD9guTc5qyEU21wwI9bfg8v3Aq45im/4enxcb7RVeMDnJUQeL47vlB PPO7vs53yrCx0Glaq0wkWolZ0XUY99R5VcJu3uUX/ord1t/V0+224qkDTP/YaBaz R3earf5JWhGuJbWOYUgMtYdeW4yoKjVIzTpj1Pg4Hy0Fqofwt0zbrffMT/5+eFLu 9GmBuMUyWr23lPzoOty6yU1iswI5TEEt/f06+xAUo/CTPW/xErILagZ3ZrTs8VuL 7OYiwGa9n3vg1W9LhDOJjYLOZsAz69gjsyaSnL/F2ix4uNVbqLaEFm+AJ8saK/ca W47TqnEYUTo9jaGHMYEX =S4Q1 -----END PGP SIGNATURE----- --=-WJnYKX2iqWswXzvVcRXC--