security (was Re: [dix] Re: Gathering requirements for in-browserOpenID support)
Ryan Barrett
openid at ryanb.org
Sat Oct 21 01:15:28 UTC 2006
On Fri, 20 Oct 2006, Gabe Wachob wrote:
> Visa's 3-D Secure (known as Verified by Visa) does NOT trust DNS. In fact,
fair enough. for closed systems, which it sounds like 3-D Secure is, that's
definitely a luxury that may make sense. however...
> As a recent former employee of Visa, I can tell you that DNS is absolutely
> *not* trusted for conducting value transactions on the net. At the very
> least, SSL is the basis upon which any transaction data is trusted.
i don't understand. DNS and SSL solve fundamentally different problems. DNS
resolves domain names to IP addresses; SSL encrypts TCP network connections.
when cardholders go to visa.com to view their monthly statement and pay bills,
their browser uses DNS to find visa.com's IP address. their browser also
(likely) uses SSL to encrypt its HTTP connection to that IP.
apologies, i know that sounds incredibly patronizing, and i definitely don't
mean it that way. i'm just trying to find common ground to work from, since i
clearly misunderstood...
-Ryan
--
http://snarfed.org/
More information about the general
mailing list