[OpenID] Combining Google & Yahoo user experience research

Martin Atkins mart at degeneration.co.uk
Wed Oct 15 02:45:21 UTC 2008


SitG Admin wrote:
> 
>> Putting it in DNS doesn't change the user-centricness, it just changes 
>> the means of publication.
> 
> I disagree here; to use military terminology here (as learned from 
> analyses of Trusted Computing) for a moment, your DNS server is not a 
> Trusted party for your personal information! IT does not have access to 
> your personal information; YOU do. If a spammer (or stalker) wants to 
> learn where you live (so they have a physical address for snailmail spam 
> or home invasion), they cannot simply ask the DNS server where you live, 
> because the DNS server does not possess that information - they MUST 
> contact you, the user, directly, and in the process of making that 
> request they not only make you (the user) aware of it, but provoke the 
> distinct possibility that you will simply refuse to tell them!
> 
> Your reply also suggested, though, that this level of control *can* be 
> present in DNS, which intrigues me :)
> 

I was not suggesting that you should put your physical address or 
telephone number in DNS, just that you can publish in DNS information 
about how that information might be obtained, much as you publish on 
your web site how that information might be obtained.

I'd also like to point out that HTTP URLs are themselves dependent on 
DNS. All you gain by publishing this information over HTTP rather than 
DNS is a couple more layers of indirection. I can't control my identity 
page on MyOpenID any more than I can control the contents of the 
myopenid.com DNS zone.

Additionally, since DNS is a request->response protocol just like HTTP, 
there's no technical reason why you can't log requests and refuse to 
talk to certain clients if you wish. The domain name system is not magic.





More information about the general mailing list