RE: VeriSign feedback/comments on STS -06

> -----Original Message-----
> From: [mailto:public-web-security-
>] On Behalf Of Henrik Nordström
> Sent: Monday, May 17, 2010 4:27 PM
> To: Aryeh Gregor
> Cc:
> Subject: Re: VeriSign feedback/comments on STS -06
> Not a problem for an DNS based approach. That would need to be done
> similar to how SRV records is done.

Fundamentally we agree.  Unfortunately without widespread DNSSEC deployment delivering a security policy over a low-integrity channel isn't an option.  We do believe this isn't necessarily a long term solution - and are proposing the shape of one this week at the W2SP -

Andy Steingruebl
PayPal Information Risk Management

Received on Monday, 17 May 2010 23:47:44 UTC