- From: Dick Hardt <dick@sxip.com>
- Date: Sat, 28 Apr 2007 09:06:52 +0200
- To: "Ben Laurie" <benl@google.com>
- Cc: "Stuart E. Schechter" <ses@ll.mit.edu>, "Dan Schutzer" <dan.schutzer@fstc.org>, "Thomas Roessler" <tlr@w3.org>, "michael.mccormick@wellsfargo.com" <michael.mccormick@wellsfargo.com>, kjell.rydjer@swedbank.se, steve@shinkuro.com, public-usable-authentication@w3.org
On 28-Apr-07, at 8:58 AM, Ben Laurie wrote: >> When I register a domain name, the registrar is involved in that >> transaction and establishes a means to authenticate me in the >> future so that >> I can change my domain registration information. Similarly, if I >> transfer a >> domain to a register, I do not do so until establishing a means of >> authenticating myself to that registrar. This authentication >> information is >> an important component of the business relationship that is >> established at, >> or before, the time a domain name is registered (or transferred). > > I am aware of all of this, of course - but as is common when high > volumes and low margins are involved this authentication mechanism is > totally automated (and typically weak), including recovery of > passwords and the like. So, I fully expect them to get subverted when > it is profitable to do so. All the more reason for a move to stronger authentication coupled with identity protocols (not that I am biased or anything :-) ... but this is another technical problem that is solvable. The CA correctly identifying that I am the owner of a domain is a business process that is not easily solvable with technology. I think we are getting way off the topic of the thread though (partly my fault, sorry), which was should there be an indicator of DNSSEC exposed to the user through the browser. I would agree with it being part of "advanced information" and a secondary indicator, not a primary indicator. -- Dick
Received on Saturday, 28 April 2007 07:07:18 UTC