On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote: > On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote: > >> Fair or not, I am tired of hearing how un-secure DNS, when >> everything we do is based on it, and it being the worlds largest >> working distributed database. > > There's a difference between working and secure. For example, email > works great but it's far from secure. >
Whatever, this discussion is old and bores me. You can always go out and use DNSSEC. >> There is SSL connecting to the provider that is being refereed >> from the srv/txt field. Which is no different than what you are >> referenced to from an A or CNAME or MX > > Which is why I said it depends on what is used as the claimed > identifier. If the user's email address is used as the claimed > identifier and I am able to change the user's record from: > > example.com TXT ‘OpenID * 10 https://*.example.com/’ > > to: > > example.com TXT ‘OpenID * 10 https://*.myevilsite.com/’ > > then all the SSL in the world won't help. > > If the email address _isn't_ the claimed identifier, then the end > user has to validate that their OP-local identifier (which they > don't know) is displayed correctly by the service provider. This is > worse than an SSL failure, there isn't even a dialog asking them to > click OK! > >> Not that it matters anyway, since people just click OK. > > > If a service provider detects an SSL failure, there's no person > there to press okay. Their server will just summarily deny the > authentication request. > > The "click OK" problem is only between client-server communication. > This is server-server communication. Isn't this just a lookup of email address -> openid/url that is then handled as a normal openid login? Artur _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs