Steven M. Bellovin wrote: > Let me point folk at http://www.securityfocus.com/news/5654 > for a related issue. To put it very briefly, *real* authentication is > hard.
It may be that real authentication is hard, but the unbelievably sloppy practices of domain name registrars doesn't prove the case. Imagine if property ownership were recorded with the same degree of rigor. "I'm sorry, sir, but you don't own your house any more. We received a typewritten letter with your name on it saying you were transferring ownership to ShoppingMall Inc. The demolition teams are moving in, and I'm afraid you'll have to be out by Friday." Domain names are handled carelessly while real estate is not, due to many factors. Probably one of the main ones is the relative immaturity of the domain name system compared to the centuries of experience we have evolving mechanisms to deal with real property. Clearly the registrars are making little or no effort to authenticate domain name transfers at present. At one time you could specify that only messages signed with a given PGP key would authorize a transfer, but that precaution has apparently disappeared, no doubt due to lack of interest and the costs of support. Maybe this could be something that a registrar could use to differentiate itself from the many otherwise-identical competitors in the market: we won't let your domain names get stolen. What a novel concept. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
