security (was Re: [dix] Re: Gathering requirements for in-browserOpenID support)
Chris Drake
christopher at pobox.com
Sat Oct 21 11:25:41 UTC 2006
Hi Ryan,
The bit you missed out comes before "SSL encrypts TCP network
connections." - it's the bit where the visa.com certificate signature
is checked up to a trusted root.
Kind Regards,
Chris Drake
Saturday, October 21, 2006, 11:15:28 AM, you wrote:
RB> On Fri, 20 Oct 2006, Gabe Wachob wrote:
>> Visa's 3-D Secure (known as Verified by Visa) does NOT trust DNS. In fact,
RB> fair enough. for closed systems, which it sounds like 3-D Secure is, that's
RB> definitely a luxury that may make sense. however...
>> As a recent former employee of Visa, I can tell you that DNS is absolutely
>> *not* trusted for conducting value transactions on the net. At the very
>> least, SSL is the basis upon which any transaction data is trusted.
RB> i don't understand. DNS and SSL solve fundamentally different problems. DNS
RB> resolves domain names to IP addresses; SSL encrypts TCP network connections.
RB> when cardholders go to visa.com to view their monthly statement and pay bills,
RB> their browser uses DNS to find visa.com's IP address. their browser also
RB> (likely) uses SSL to encrypt its HTTP connection to that IP.
RB> apologies, i know that sounds incredibly patronizing, and i definitely don't
RB> mean it that way. i'm just trying to find common ground to work from, since i
RB> clearly misunderstood...
RB> -Ryan
RB> --
RB> http://snarfed.org/
RB> _______________________________________________
RB> general mailing list
RB> general at openid.net
RB> http://openid.net/mailman/listinfo/general
More information about the general
mailing list