[security] DNS-SEC the solution?
David Recordon
drecordon at sixapart.com
Fri Aug 8 19:46:02 UTC 2008
I think what Ben was saying is that DNS-SEC would solve the problem of
making sure that you know whether or not you're getting the correct IP
address for myopenid.com when you resolve it. This thus would prevent
the DNS poisoning style of attack and move to using SSL more for the
encryption of the connection versus also making sure you're talking to
the right host (e.g. no MITM).
The problem so far is that DNS-SEC isn't widely deployed and I think
Ben was suggesting that fixing this problem for OpenID would still not
be seen as compelling enough to make it happen.
Ben, correct me if I'm wrong.
--David
On Aug 8, 2008, at 12:13 PM, Dick Hardt wrote:
>
> On 8-Aug-08, at 11:13 AM, Ben Laurie wrote:
>
>> On Fri, Aug 8, 2008 at 6:37 PM, Dick Hardt <dick at sxip.com> wrote:
>>> What if OpenID required DNS-SEC critical parts of the protocol?
>>>
>>> The objective is to bind of the DNS identifiers to documents.
>>>
>>> This could be a driver for DNS-SEC. Thoughts on this Ben?
>>
>> DNSSEC certainly solves the underlying DNS problem, and definitely
>> could be extended to solve all sorts of other problems.
>>
>> Whether problems in OpenID will be found signfiicantly more
>> compelling
>> than existing arguments is another question.
>
> Would you elaborate or provide a pointer? Your wisdom here would be
> really useful!
>
> -- Dick
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
More information about the security
mailing list