Daniel E. Renfer wrote: > While I haven't been able to find a good list of domains that meet > this requirement, what does everybody think of the idea that if you > can't find a DNS entry for the domain part of the trust root then it's > not a good candidate for a trust root. > > Maybe it's just my DNS servers, but I'm not getting a response for > things such as "com" or "co.uk" > > any thoughts? >
The DNS lookup is interesting, but I feel a relying party should white-list the sites it accepts and only accept those. Any other "mechanical" trust relationships (such as generic blacklists) are likely to be worth next to nothing, so the RP might as well ignore checking for return address being in the trust root's set. Hans _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs