I think what Ben was saying is that DNS-SEC would solve the problem of making sure that you know whether or not you're getting the correct IP address for myopenid.com when you resolve it. This thus would prevent the DNS poisoning style of attack and move to using SSL more for the encryption of the connection versus also making sure you're talking to the right host (e.g. no MITM).
The problem so far is that DNS-SEC isn't widely deployed and I think Ben was suggesting that fixing this problem for OpenID would still not be seen as compelling enough to make it happen. Ben, correct me if I'm wrong. --David On Aug 8, 2008, at 12:13 PM, Dick Hardt wrote: > > On 8-Aug-08, at 11:13 AM, Ben Laurie wrote: > >> On Fri, Aug 8, 2008 at 6:37 PM, Dick Hardt <[EMAIL PROTECTED]> wrote: >>> What if OpenID required DNS-SEC critical parts of the protocol? >>> >>> The objective is to bind of the DNS identifiers to documents. >>> >>> This could be a driver for DNS-SEC. Thoughts on this Ben? >> >> DNSSEC certainly solves the underlying DNS problem, and definitely >> could be extended to solve all sorts of other problems. >> >> Whether problems in OpenID will be found signfiicantly more >> compelling >> than existing arguments is another question. > > Would you elaborate or provide a pointer? Your wisdom here would be > really useful! > > -- Dick > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
