lsd0001

LSD0001: GNU Name System
Log | Files | Refs | README
commit 22804bb256e55b25a0828e41a60947949d713ef9
parent fe9adeeb7546449c385f86282aaa25f031a205c5
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sat,  1 Jul 2023 01:01:56 +0200

improve English/structure in Zone Privacy section

Diffstat:

Mdraft-schanzen-gns.xml | 30+++++++++++++++---------------


1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -2746,26 +2746,26 @@ NICK: john (supplemental)
          <t>
            GNS does not support authenticated denial of existence of names
            within a zone.
-           Record blocks are published in encrypted form using keys derived from the
+           Record data is published in encrypted form using keys derived from the
            zone key and record label. Zone administrators should
-           carefully consider if the label and zone key is public or if
-           those should be used and considered as a shared secret.
-           Unlike zone keys, labels can also be guessed by
-           an attacker in the network observing queries and responses. Given
-           a known and targeted zone key, the use of well known or easily guessable
-           labels effectively results in general disclosure of the records to
-           the public.
-           If the labels and hence the records should be kept secret except to
-           those knowing a secret label and the zone in which to look, the
-           label must be chosen accordingly. It is recommended to then use a
-           label with sufficient entropy as to prevent guessing attacks.
+           carefully consider if a label and zone key are public, or if
+           one or both of these should be used as a shared secret to restrict access
+           to the corresponding record data.
+           Unlike public zone keys, low-entropy labels can be guessed by an attacker. If an attacker
+           knowns the public zone key, the use of well known or guessable
+           labels effectively threatens the disclosure of the corresponding records.
          </t>
          <t>
-           It should be noted that this attack on labels only applies if the
+           It should be noted that the guessing attack on labels only applies if the
            zone key is somehow disclosed to the adversary. GNS itself
            does not disclose it during a lookup or when resource records are
-           published as the zone keys are blinded beforehand.  However,
-           zone keys do become public during revocation.
+           published (as only the blinded zone keys are used on the network).
+           However, zone keys do become public during revocation.
+         </t>
+         <t>
+           It is thus <bcp14>RECOMMENDED</bcp14> to use a
+           label with sufficient entropy to prevent guessing attacks
+           if any data in a resource record set is sensitive.
          </t>
        </section>
        <section anchor="sec_governance">