OpenID Email Discovery

Chris Drake christopher at pobox.com
Sat Jan 5 16:30:03 UTC 2008 

Hi Phillip,

I wasn't aware that DNSSEC existed yet (outside a few obscure European
TLDs?).  Since you appear to work for Verisign, and I'd like to set
this up - can you please send me a URL when I can obtain a signed
DNSSEC certificate for my .COM domain ?

Kind Regards,
Chris Drake


Saturday, January 5, 2008, 6:18:14 AM, you wrote:

HBP> You can use domain validated SSL certificates or DNSSEC here. Either is sufficient.

HBP> There is no technology gap here.  

>> -----Original Message-----
>> From: specs-bounces at openid.net 
>> [mailto:specs-bounces at openid.net] On Behalf Of Artur Bergman
>> Sent: Friday, January 04, 2008 6:14 AM
>> To: Trevor Johns
>> Cc: 'OpenID specs list'
>> Subject: Re: OpenID Email Discovery
>> 
>> 
>> On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote:
>> 
>> > On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote:
>> >
>> >> Fair or not, I am tired of hearing how un-secure DNS, when 
>> everything 
>> >> we do is based on it, and it being the worlds largest working 
>> >> distributed database.
>> >
>> > There's a difference between working and secure. For example, email
>> > works great but it's far from secure.
>> >
>> 
>> Whatever, this discussion is old and bores me. You can always go out
>> and use DNSSEC.
>> 
>> >> There is SSL connecting to the provider that is being refereed  
>> >> from the srv/txt field. Which is no different than what you are
>> >> referenced to from an A or CNAME or MX
>> >
>> > Which is why I said it depends on what is used as the claimed  
>> > identifier. If the user's email address is used as the claimed  
>> > identifier and I am able to change the user's record from:
>> >
>> > 	example.com   TXT   ‘OpenID * 10 https://*.example.com/’
>> >
>> > to:
>> >
>> > 	example.com   TXT   ‘OpenID * 10 https://*.myevilsite.com/’
>> >
>> > then all the SSL in the world won't help.
>> >
>> > If the email address _isn't_ the claimed identifier, then the end
>> > user has to validate that their OP-local identifier (which they  
>> > don't know) is displayed correctly by the service provider. 
>> This is  
>> > worse than an SSL failure, there isn't even a dialog asking 
>> them to  
>> > click OK!
>> >
>> >> Not that it matters anyway, since people just click OK.
>> >
>> >
>> > If a service provider detects an SSL failure, there's no person  
>> > there to press okay. Their server will just summarily deny the  
>> > authentication request.
>> >
>> > The "click OK" problem is only between client-server 
>> communication.  
>> > This is server-server communication.
>> 
>> Isn't this just a lookup of email address -> openid/url that is then
>> handled as a normal openid login?
>> 
>> Artur
>> 
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>> 
HBP> _______________________________________________
HBP> specs mailing list
HBP> specs at openid.net
HBP> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list