security (was Re: [dix] Re: Gathering requirements for in-browserOpenID support)
Gabe Wachob
gabe.wachob at amsoft.net
Fri Oct 20 23:44:57 UTC 2006
As a recent former employee of Visa, I can tell you that DNS is absolutely
*not* trusted for conducting value transactions on the net. At the very
least, SSL is the basis upon which any transaction data is trusted.
Visa's 3-D Secure (known as Verified by Visa) does NOT trust DNS. In fact,
it relies on a centralized directory (which performs a similar lookup
function) run by Visa. The attitude towards the entire Internet there is
that it is still unreliable, subject to DoS, subject to interception of data
& credentials, etc. Visa and its members are high profile targets and they
are conservative about what is considered "secure", for good reason...
-Gabe
> big organizations like banks and brokerage firms are ok with conducting
> sensitive transactions over plain vanilla DNS. given that precedent, i
> doubt
> we'd want to burn many cycles on DNSSEC.
>
> -Ryan
>
> --
> http://snarfed.org/
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list