OpenID Email Discovery

Hallam-Baker, Phillip pbaker at verisign.com
Fri Jan 4 20:18:14 UTC 2008 

You can use domain validated SSL certificates or DNSSEC here. Either is sufficient. 

There is no technology gap here.  

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Artur Bergman
> Sent: Friday, January 04, 2008 6:14 AM
> To: Trevor Johns
> Cc: 'OpenID specs list'
> Subject: Re: OpenID Email Discovery
> 
> 
> On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote:
> 
> > On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote:
> >
> >> Fair or not, I am tired of hearing how un-secure DNS, when 
> everything 
> >> we do is based on it, and it being the worlds largest working 
> >> distributed database.
> >
> > There's a difference between working and secure. For example, email 
> > works great but it's far from secure.
> >
> 
> Whatever, this discussion is old and bores me. You can always go out  
> and use DNSSEC.
> 
> >> There is SSL connecting to the provider that is being refereed  
> >> from the srv/txt field. Which is no different than what you are  
> >> referenced to from an A or CNAME or MX
> >
> > Which is why I said it depends on what is used as the claimed  
> > identifier. If the user's email address is used as the claimed  
> > identifier and I am able to change the user's record from:
> >
> > 	example.com   TXT   ‘OpenID * 10 https://*.example.com/’
> >
> > to:
> >
> > 	example.com   TXT   ‘OpenID * 10 https://*.myevilsite.com/’
> >
> > then all the SSL in the world won't help.
> >
> > If the email address _isn't_ the claimed identifier, then the end  
> > user has to validate that their OP-local identifier (which they  
> > don't know) is displayed correctly by the service provider. 
> This is  
> > worse than an SSL failure, there isn't even a dialog asking 
> them to  
> > click OK!
> >
> >> Not that it matters anyway, since people just click OK.
> >
> >
> > If a service provider detects an SSL failure, there's no person  
> > there to press okay. Their server will just summarily deny the  
> > authentication request.
> >
> > The "click OK" problem is only between client-server 
> communication.  
> > This is server-server communication.
> 
> Isn't this just a lookup of email address -> openid/url that is then  
> handled as a normal openid login?
> 
> Artur
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list