You can use domain validated SSL certificates or DNSSEC here. Either is sufficient.
There is no technology gap here. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Artur Bergman > Sent: Friday, January 04, 2008 6:14 AM > To: Trevor Johns > Cc: 'OpenID specs list' > Subject: Re: OpenID Email Discovery > > > On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote: > > > On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote: > > > >> Fair or not, I am tired of hearing how un-secure DNS, when > everything > >> we do is based on it, and it being the worlds largest working > >> distributed database. > > > > There's a difference between working and secure. For example, email > > works great but it's far from secure. > > > > Whatever, this discussion is old and bores me. You can always go out > and use DNSSEC. > > >> There is SSL connecting to the provider that is being refereed > >> from the srv/txt field. Which is no different than what you are > >> referenced to from an A or CNAME or MX > > > > Which is why I said it depends on what is used as the claimed > > identifier. If the user's email address is used as the claimed > > identifier and I am able to change the user's record from: > > > > example.com TXT ‘OpenID * 10 https://*.example.com/’ > > > > to: > > > > example.com TXT ‘OpenID * 10 https://*.myevilsite.com/’ > > > > then all the SSL in the world won't help. > > > > If the email address _isn't_ the claimed identifier, then the end > > user has to validate that their OP-local identifier (which they > > don't know) is displayed correctly by the service provider. > This is > > worse than an SSL failure, there isn't even a dialog asking > them to > > click OK! > > > >> Not that it matters anyway, since people just click OK. > > > > > > If a service provider detects an SSL failure, there's no person > > there to press okay. Their server will just summarily deny the > > authentication request. > > > > The "click OK" problem is only between client-server > communication. > > This is server-server communication. > > Isn't this just a lookup of email address -> openid/url that is then > handled as a normal openid login? > > Artur > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs