Steven M. Bellovin wrote:
> Let me point folk at http://www.securityfocus.com/news/5654
> for a related issue.  To put it very briefly, *real* authentication is
> hard.

It may be that real authentication is hard, but the unbelievably sloppy
practices of domain name registrars doesn't prove the case.

Imagine if property ownership were recorded with the same degree of rigor.
"I'm sorry, sir, but you don't own your house any more.  We received a
typewritten letter with your name on it saying you were transferring
ownership to ShoppingMall Inc.  The demolition teams are moving in,
and I'm afraid you'll have to be out by Friday."

Domain names are handled carelessly while real estate is not, due to
many factors.  Probably one of the main ones is the relative immaturity
of the domain name system compared to the centuries of experience we
have evolving mechanisms to deal with real property.

Clearly the registrars are making little or no effort to authenticate
domain name transfers at present.  At one time you could specify that only
messages signed with a given PGP key would authorize a transfer, but that
precaution has apparently disappeared, no doubt due to lack of interest
and the costs of support.  Maybe this could be something that a registrar
could use to differentiate itself from the many otherwise-identical
competitors in the market: we won't let your domain names get stolen.
What a novel concept.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to