[OpenID] TR: ICANN - dotOpenID Has Found Its First Sponsor

Snorri snorri at snorri.eu
Tue Sep 30 13:44:26 UTC 2008 

Copy from  Zdravko (OpenID Bulgarian Representative):

 

Hi all!

Snorri wrote: 

I agree!
 
About DNSSEC, e.g.: I believe that the Swedish NIC http://www.iis.se/ (also
in Bulgaria: ".bg") already use and sign with DNSSEC for their ccTLDs
domains...
  

That's right. Since November 2007 Register.BG supports DNSSEC and provided
administrative interface to end-users for DNSSEC administration. Such
support is for the root .bg zone, and all its sub-domains as well. So
Register.BG became the second registrant after the Swedish one to
successfully implement DNSSEC (i.e. signed its own zone). The current status
of this process could be seen here:
http://secspider.cs.ucla.edu/islands.html

However there are some talks against DNSSEC as well. A small quote from
http://cr.yp.to/djbdns/forgery.html


"DNSSEC: theory and practice


DNSSEC is a project to have a central company, Network Solutions, sign all
the .com DNS records. Here's the idea, proposed in 1993: 

*	Network Solutions creates and publishes a key.
*	Each *.com creates a key and signs its own DNS records. Yahoo, for
example, creates a key and signs the yahoo.com DNS records under that key.
*	Network Solutions signs each *.com key. Yahoo, for example, gives
its key to Network Solutions through some secure channel, and Network
Solutions signs a document identifying that key as theyahoo.com key.
*	Computers around the Internet are given the Network Solutions key,
and begin rejecting DNS records that aren't accompanied by the appropriate
signatures.

However, as of November 2002, Network Solutions simply isn't doing this.
There is no Network Solutions key. There are no Network Solutions *.com
signatures. There is no secure channel---in fact, no mechanism at all---for
Network Solutions to collect *.com keys in the first place.

Even worse, the DNSSEC protocol is still undergoing massive changes. As Paul
Vixie wrote on 2002.11.21:

We are still doing basic research on what kind of data model will work for
dns security. After three or four times of saying "NOW we've got it, THIS
TIME for sure" there's finally some humility in the picture... "wonder if
THIS'll work?" ... 

It's impossible to know how many more flag days we'll have before it's safe
to burn ROMs that marshall and unmarshall the DNSSEC related RR's, or follow
chains trying to validate signatures. It sure isn't plain old SIG+KEY, and
it sure isn't DS as currently specified. When will it be? We don't know.
What has to happen before we will know? We don't know that either. ...

2535 is already dead and buried. There is no installed base. We're starting
from scratch.

DNSSEC---for example, BIND 9's RFC 2535 implementation---has been falsely
advertised for years as a software feature that you can install to protect
your computer against DNS forgeries. In fact, installing DNSSEC does nothing
to protect you, and it will continue to do nothing for the foreseeable
future.

I'm not going to bother implementing DNSSEC until I see (1) a stable,
sensible DNSSEC protocol and (2) a detailed, concrete, credible plan for
central DNSSEC deployment."

-----Message d'origine-----
De : Martin Atkins [mailto:mart at degeneration.co.uk] 
Envoyé : samedi 27 septembre 2008 10:55
À : Hans Granqvist
Cc : Snorri; board at openid.net; general at openid.net
Objet : Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor
 
Hans Granqvist wrote:
  

Wrong end of the URL!
 
A big problem with OpenID is that it uses ugly URLs as identifiers.
That they start with  <http://> "http://" and have dots. It's not what TLD
they
end with that is a problem.
  
    

Much like when URLs are published in the press, the http:// prefix and 
the single-slash path component can be omitted when displaying these 
URLs to users. I wish more RPs would do this.
 
As for it being a problem that the identifiers contain dots... that's 
clearly a subjective issue!
  

Anyway, compared to say, ".com", how will creating ".openid" help
improve anything? Looks like a misspelling of "opened". "myid"
isn't much better.
 
  
    

 
One thing that amuses me about this proposal is that putting everything 
OpenID in one DNS domain would make it look a lot like the first version 
of Sxip where the IdPs where subdomains of sxip.com (or something like 
that; it's been a while.)
 
I know that's not exactly what's being proposed here, but it did make me 
chuckle from a "what's old is new again" perspective.
 
One thing I would be interested to know is whether having a new 
top-level domain for identifiers would make it possible to use different 
rules inside that domain such as requiring DNSSEC. It's become clear 
that getting DNSSEC deployed right at the root and in the existing TLDs 
is not happening soon, but perhaps it can be used under a new TLD if RPs 
support it. I confess to not knowing a great deal about DNSSEC, but it 
seems to me that in order for it to be worth having a new TLD 
*something* has to be different to the existing free-for-all domains. 
Addressing the concern that OpenID depends on DNS and DNS is insecure 
would be a useful goal.
 
 
 
  





-- 
  Zdravko Stoychev
  5Group & Co.
  zdravko at 5group.com
 
Not answered?
http://6lyokavitza.org/mail
 
PGP Public Key:
http://keyserver.kjsl.com:11371/pks/lookup?op=get
<http://keyserver.kjsl.com:11371/pks/lookup?op=get&search=0x94F6C680>
&search=0x94F6C680
 
Key Fingerprint: 
4A83 4885 DD7F 3A26 E8FF 8380 2CFB 85F9 94F6 C680
 
This e-mail is intended only for the addressee(s) and may contain 
privileged and confidential information. It should not be disse-
minated, distributed, or copied. If you have received this e-mail 
message by mistake, please inform the sender, and delete it from 
your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080930/4b3fafac/attachment-0002.htm>

More information about the general mailing list