<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
h2
{mso-style-priority:9;
mso-style-link:"Titre 2 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Times New Roman","serif";
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;
color:black;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.Titre2Car
{mso-style-name:"Titre 2 Car";
mso-style-priority:9;
mso-style-link:"Titre 2";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1746760733;
mso-list-template-ids:-1940112272;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Copy from Zdravko (OpenID Bulgarian Representative):<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal>Hi all!<br>
<br>
Snorri wrote: <o:p></o:p></p>
<pre>I agree!<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>About DNSSEC, e.g.: I believe that the Swedish NIC <a
href="http://www.iis.se/">http://www.iis.se/</a> (also<o:p></o:p></pre><pre>in Bulgaria: ".bg") already use and sign with DNSSEC for their ccTLDs<o:p></o:p></pre><pre>domains...<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal>That's right. Since November 2007 Register.BG supports
DNSSEC and provided administrative interface to end-users for DNSSEC
administration. Such support is for the root .bg zone, and all its sub-domains
as well. So Register.BG became the second registrant after the Swedish one to
successfully implement DNSSEC (i.e. signed its own zone). The current status of
this process could be seen here:<br>
<a href="http://secspider.cs.ucla.edu/islands.html">http://secspider.cs.ucla.edu/islands.html</a><br>
<br>
However there are some talks against DNSSEC as well. A small quote from <a
href="http://cr.yp.to/djbdns/forgery.html">http://cr.yp.to/djbdns/forgery.html</a><o:p></o:p></p>
<h2>"DNSSEC: theory and practice<o:p></o:p></h2>
<p class=MsoNormal><span class=apple-style-span>DNSSEC is a project to have a
central company, Network Solutions, sign all the</span><span
class=apple-converted-space> </span><tt><span style='font-size:10.0pt'>.com</span></tt><span
class=apple-converted-space> </span><span class=apple-style-span>DNS
records. Here's the idea, proposed in 1993: <o:p></o:p></span></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Network Solutions creates and publishes a key.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Each<span class=apple-converted-space> </span><tt><span
style='font-size:10.0pt'>*.com</span></tt><span
class=apple-converted-space> </span>creates a key and signs its own
DNS records. Yahoo, for example, creates a key and signs the<span
class=apple-converted-space> </span><tt><span style='font-size:10.0pt'>yahoo.com</span></tt><span
class=apple-converted-space> </span>DNS records under that key.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Network Solutions signs each<span
class=apple-converted-space> </span><tt><span style='font-size:10.0pt'>*.com</span></tt><span
class=apple-converted-space> </span>key. Yahoo, for example, gives
its key to Network Solutions through some secure channel, and Network
Solutions signs a document identifying that key as the<tt><span
style='font-size:10.0pt'>yahoo.com</span></tt><span
class=apple-converted-space> </span>key.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Computers around the Internet are given the
Network Solutions key, and begin rejecting DNS records that aren't
accompanied by the appropriate signatures.<o:p></o:p></li>
</ul>
<p>However, as of November 2002, Network Solutions simply isn't doing this.
There is no Network Solutions key. There are no Network Solutions<span
class=apple-converted-space> </span><tt><span style='font-size:10.0pt'>*.com</span></tt><span
class=apple-converted-space> </span>signatures. There is no secure
channel---in fact, no mechanism at all---for Network Solutions to collect<span
class=apple-converted-space> </span><tt><span style='font-size:10.0pt'>*.com</span></tt><span
class=apple-converted-space> </span>keys in the first place.<o:p></o:p></p>
<p>Even worse, the DNSSEC protocol is still undergoing massive changes. As Paul
Vixie wrote on 2002.11.21:<o:p></o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>We are still doing basic research on what kind of data model
will work for dns security. After three or four times of saying "NOW we've
got it, THIS TIME for sure" there's finally some humility in the
picture... "wonder if THIS'll work?" ... <o:p></o:p></p>
<p>It's impossible to know how many more flag days we'll have before it's safe
to burn ROMs that marshall and unmarshall the DNSSEC related RR's, or follow
chains trying to validate signatures. It sure isn't plain old SIG+KEY, and it
sure isn't DS as currently specified. When will it be? We don't know. What has
to happen before we will know? We don't know that either. ...<o:p></o:p></p>
<p>2535 is already dead and buried. There is no installed base. We're starting
from scratch.<o:p></o:p></p>
</blockquote>
<p>DNSSEC---for example, BIND 9's RFC 2535 implementation---has been falsely
advertised for years as a software feature that you can install to protect your
computer against DNS forgeries. In fact, installing DNSSEC does<span
class=apple-converted-space> </span><i>nothing</i><span
class=apple-converted-space> </span>to protect you, and it will continue
to do nothing for the foreseeable future.<o:p></o:p></p>
<p>I'm not going to bother implementing DNSSEC until I see (1) a stable,
sensible DNSSEC protocol and (2) a detailed, concrete, credible plan for
central DNSSEC deployment."<span style='color:#1F497D'><o:p></o:p></span></p>
<pre>-----Message d'origine-----<o:p></o:p></pre><pre>De : Martin Atkins [<a
href="mailto:mart@degeneration.co.uk">mailto:mart@degeneration.co.uk</a>] <o:p></o:p></pre><pre>Envoyé : samedi 27 septembre 2008 10:55<o:p></o:p></pre><pre>À : Hans Granqvist<o:p></o:p></pre><pre>Cc : Snorri; <a
href="mailto:board@openid.net">board@openid.net</a>; <a
href="mailto:general@openid.net">general@openid.net</a><o:p></o:p></pre><pre>Objet : Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Hans Granqvist wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Wrong end of the URL!<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>A big problem with OpenID is that it uses ugly URLs as identifiers.<o:p></o:p></pre><pre>That they start with <a
href="http://">"http://"</a> and have dots. It's not what TLD they<o:p></o:p></pre><pre>end with that is a problem.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre>Much like when URLs are published in the press, the <a href="http://">http://</a> prefix and <o:p></o:p></pre><pre>the single-slash path component can be omitted when displaying these <o:p></o:p></pre><pre>URLs to users. I wish more RPs would do this.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>As for it being a problem that the identifiers contain dots... that's <o:p></o:p></pre><pre>clearly a subjective issue!<o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Anyway, compared to say, ".com", how will creating ".openid" help<o:p></o:p></pre><pre>improve anything? Looks like a misspelling of "opened". "myid"<o:p></o:p></pre><pre>isn't much better.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre>One thing that amuses me about this proposal is that putting everything <o:p></o:p></pre><pre>OpenID in one DNS domain would make it look a lot like the first version <o:p></o:p></pre><pre>of Sxip where the IdPs where subdomains of sxip.com (or something like <o:p></o:p></pre><pre>that; it's been a while.)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I know that's not exactly what's being proposed here, but it did make me <o:p></o:p></pre><pre>chuckle from a "what's old is new again" perspective.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>One thing I would be interested to know is whether having a new <o:p></o:p></pre><pre>top-level domain for identifiers would make it possible to use different <o:p></o:p></pre><pre>rules inside that domain such as requiring DNSSEC. It's become clear <o:p></o:p></pre><pre>that getting DNSSEC deployed right at the root and in the existing TLDs <o:p></o:p></pre><pre>is not happening soon, but perhaps it can be used under a new TLD if RPs <o:p></o:p></pre><pre>support it. I confess to not knowing a great deal about DNSSEC, but it <o:p></o:p></pre><pre>seems to me that in order for it to be worth having a new TLD <o:p></o:p></pre><pre>*something* has to be different to the existing free-for-all domains. <o:p></o:p></pre><pre>Addressing the concern that OpenID depends on DNS and DNS is insecure <o:p></o:p></pre><pre>would be a useful goal.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre><pre> Zdravko Stoychev<o:p></o:p></pre><pre> 5Group & Co.<o:p></o:p></pre><pre> <a
href="mailto:zdravko@5group.com">zdravko@5group.com</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Not answered?<o:p></o:p></pre><pre><a
href="http://6lyokavitza.org/mail">http://6lyokavitza.org/mail</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>PGP Public Key:<o:p></o:p></pre><pre><a
href="http://keyserver.kjsl.com:11371/pks/lookup?op=get&search=0x94F6C680">http://keyserver.kjsl.com:11371/pks/lookup?op=get&search=0x94F6C680</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Key Fingerprint: <o:p></o:p></pre><pre>4A83 4885 DD7F 3A26 E8FF 8380 2CFB 85F9 94F6 C680<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>This e-mail is intended only for the addressee(s) and may contain <o:p></o:p></pre><pre>privileged and confidential information. It should not be disse-<o:p></o:p></pre><pre>minated, distributed, or copied. If you have received this e-mail <o:p></o:p></pre><pre>message by mistake, please inform the sender, and delete it from <o:p></o:p></pre><pre>your system.<o:p></o:p></pre></div>
</body>
</html>