- From: Steingruebl, Andy <asteingruebl@paypal.com>
- Date: Mon, 17 May 2010 17:47:09 -0600
- To: Henrik Nordström <henrik@henriknordstrom.net>, Aryeh Gregor <Simetrical+w3c@gmail.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
> -----Original Message----- > From: public-web-security-request@w3.org [mailto:public-web-security- > request@w3.org] On Behalf Of Henrik Nordström > Sent: Monday, May 17, 2010 4:27 PM > To: Aryeh Gregor > Cc: public-web-security@w3.org > Subject: Re: VeriSign feedback/comments on STS -06 > > Not a problem for an DNS based approach. That would need to be done > similar to how SRV records is done. Fundamentally we agree. Unfortunately without widespread DNSSEC deployment delivering a security policy over a low-integrity channel isn't an option. We do believe this isn't necessarily a long term solution - and are proposing the shape of one this week at the W2SP - http://w2spconf.com/2010/ -- Andy Steingruebl PayPal Information Risk Management
Received on Monday, 17 May 2010 23:47:44 UTC