On 8-Aug-08, at 12:46 PM, David Recordon wrote: > I think what Ben was saying is that DNS-SEC would solve the problem > of making sure that you know whether or not you're getting the > correct IP address for myopenid.com when you resolve it. This thus > would prevent the DNS poisoning style of attack and move to using > SSL more for the encryption of the connection versus also making > sure you're talking to the right host (e.g. no MITM). > > The problem so far is that DNS-SEC isn't widely deployed and I think > Ben was suggesting that fixing this problem for OpenID would still > not be seen as compelling enough to make it happen. > > Ben, correct me if I'm wrong.
See Ben's email that answered my question well. DNS-SEC can provide numerous other services. For example, it could provide a public key for an OpenID which would eliminate the need to do a key exchange between the OP and the RP, and would also reduce or eliminate the need for an OP since the client software could sign the messages directly if it had the private key. -- Dick _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
