Hi Phillip, I wasn't aware that DNSSEC existed yet (outside a few obscure European TLDs?). Since you appear to work for Verisign, and I'd like to set this up - can you please send me a URL when I can obtain a signed DNSSEC certificate for my .COM domain ?
Kind Regards, Chris Drake Saturday, January 5, 2008, 6:18:14 AM, you wrote: HBP> You can use domain validated SSL certificates or DNSSEC here. Either is sufficient. HBP> There is no technology gap here. >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Artur Bergman >> Sent: Friday, January 04, 2008 6:14 AM >> To: Trevor Johns >> Cc: 'OpenID specs list' >> Subject: Re: OpenID Email Discovery >> >> >> On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote: >> >> > On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote: >> > >> >> Fair or not, I am tired of hearing how un-secure DNS, when >> everything >> >> we do is based on it, and it being the worlds largest working >> >> distributed database. >> > >> > There's a difference between working and secure. For example, email >> > works great but it's far from secure. >> > >> >> Whatever, this discussion is old and bores me. You can always go out >> and use DNSSEC. >> >> >> There is SSL connecting to the provider that is being refereed >> >> from the srv/txt field. Which is no different than what you are >> >> referenced to from an A or CNAME or MX >> > >> > Which is why I said it depends on what is used as the claimed >> > identifier. If the user's email address is used as the claimed >> > identifier and I am able to change the user's record from: >> > >> > example.com TXT OpenID * 10 https://*.example.com/ >> > >> > to: >> > >> > example.com TXT OpenID * 10 https://*.myevilsite.com/ >> > >> > then all the SSL in the world won't help. >> > >> > If the email address _isn't_ the claimed identifier, then the end >> > user has to validate that their OP-local identifier (which they >> > don't know) is displayed correctly by the service provider. >> This is >> > worse than an SSL failure, there isn't even a dialog asking >> them to >> > click OK! >> > >> >> Not that it matters anyway, since people just click OK. >> > >> > >> > If a service provider detects an SSL failure, there's no person >> > there to press okay. Their server will just summarily deny the >> > authentication request. >> > >> > The "click OK" problem is only between client-server >> communication. >> > This is server-server communication. >> >> Isn't this just a lookup of email address -> openid/url that is then >> handled as a normal openid login? >> >> Artur >> >> _______________________________________________ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs >> HBP> _______________________________________________ HBP> specs mailing list HBP> specs@openid.net HBP> http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs