|
Hi Dick, Great points, especially wrt
to secure DNS. DH> Interesting concept
to distribute email verification. A modification DH> on it would be *if*
we get secure DNS, that the domain would be able DH> to have a public key
available and it could digitally sign the email DH> to the persona URL.
This lets the world not have to *trust* a DH> centralized email
verification service. Just to clarify (not sure if
you actually meant this or not) that the scheme I had in mind would allow an
email_verification_service at every domain (potentially). If a given domain
didn't want to actually run the verification service, they could delegate the
responsibility to whomever, via dix discovery. There wouldn't be a centralized
verification service (unless everybody delegated to the same service). You're right,
though...secure DNS could make the whole thing much more secure (although, in
the current DNS system, it seems like it would be pretty difficult for a random
attacker somewhere on the net to spoof a conversation between a random email
address domain and a random SP. It seems to me that the attacker would
probably need to have compromised the SP or the email_verification_service, or
an ISP thereof to perform a DNS spoofing attack)....though I'm not an expert in
that realm. David > -----Original
Message----- > From: Dick Hardt [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June
08, 2006 2:19 AM > To: > Subject: Re: [dix]
Email Verification with Dix - a Possible Method? > > Hi David > > Interesting concept to
distribute email verification. A modification > on it would be *if* we
get secure DNS, that the domain would be able > to have a public key
available and it could digitally sign the email > to the persona URL.
This lets the world not have to *trust* a > centralized email
verification service. > > Having said that, I
think there is a good likelyhood that trusted > email verification
services will be offered for free, which means > that A1 may become
widely adopted if it is as simple as todays email > process, but that the
user only has to do it once. Since only one (or > maybe a few) sites do
the verification, each domain does not need to > do any config and the
user can have any email address. > > To pick up on the value
of verified email, there is another use of an > verified email address
(or for the privacy conscience, a verified > hash of an email
address). ACLs. It is a total pain to give certain > people access to a
resource. Many of the private space wikis use > email invites. Taking
that a step further, you enter in the email > addresses of who you
would like to have access (email is an easy ID > for people), and your
invitees prove they own that email address -- > essentially it is the
attribute that grants them access. > > -- Dick |
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
