Hi Dick, Great points, especially wrt to secure DNS.
DH> Interesting concept to distribute email verification. A modification DH> on it would be *if* we get secure DNS, that the domain would be able DH> to have a public key available and it could digitally sign the email DH> to the persona URL. This lets the world not have to *trust* a DH> centralized email verification service. Just to clarify (not sure if you actually meant this or not) that the scheme I had in mind would allow an email_verification_service at every domain (potentially). If a given domain didn't want to actually run the verification service, they could delegate the responsibility to whomever, via dix discovery. There wouldn't be a centralized verification service (unless everybody delegated to the same service). You're right, though...secure DNS could make the whole thing much more secure (although, in the current DNS system, it seems like it would be pretty difficult for a random attacker somewhere on the net to spoof a conversation between a random email address domain and a random SP. It seems to me that the attacker would probably need to have compromised the SP or the email_verification_service, or an ISP thereof to perform a DNS spoofing attack)....though I'm not an expert in that realm. David [EMAIL PROTECTED] > -----Original Message----- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 08, 2006 2:19 AM > To: [EMAIL PROTECTED]; Digital Identity Exchange > Subject: Re: [dix] Email Verification with Dix - a Possible Method? > > Hi David > > Interesting concept to distribute email verification. A modification > on it would be *if* we get secure DNS, that the domain would be able > to have a public key available and it could digitally sign the email > to the persona URL. This lets the world not have to *trust* a > centralized email verification service. > > Having said that, I think there is a good likelyhood that trusted > email verification services will be offered for free, which means > that A1 may become widely adopted if it is as simple as todays email > process, but that the user only has to do it once. Since only one (or > maybe a few) sites do the verification, each domain does not need to > do any config and the user can have any email address. > > To pick up on the value of verified email, there is another use of an > verified email address (or for the privacy conscience, a verified > hash of an email address). ACLs. It is a total pain to give certain > people access to a resource. Many of the private space wikis use > email invites. Taking that a step further, you enter in the email > addresses of who you would like to have access (email is an easy ID > for people), and your invitees prove they own that email address -- > essentially it is the attribute that grants them access. > > -- Dick _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
