[security] DNS-SEC the solution?
Dick Hardt
dick at sxip.com
Fri Aug 8 19:51:06 UTC 2008
On 8-Aug-08, at 12:46 PM, David Recordon wrote:
> I think what Ben was saying is that DNS-SEC would solve the problem
> of making sure that you know whether or not you're getting the
> correct IP address for myopenid.com when you resolve it. This thus
> would prevent the DNS poisoning style of attack and move to using
> SSL more for the encryption of the connection versus also making
> sure you're talking to the right host (e.g. no MITM).
>
> The problem so far is that DNS-SEC isn't widely deployed and I think
> Ben was suggesting that fixing this problem for OpenID would still
> not be seen as compelling enough to make it happen.
>
> Ben, correct me if I'm wrong.
See Ben's email that answered my question well.
DNS-SEC can provide numerous other services. For example, it could
provide a public key for an OpenID which would eliminate the need to
do a key exchange between the OP and the RP, and would also reduce or
eliminate the need for an OP since the client software could sign the
messages directly if it had the private key.
-- Dick
More information about the security
mailing list