On Monday 18 May 2015 13:57:16 Jeffrey Walton wrote: > The document seems to be missing a treatment of a subject, though. The > subject is the integrity and authenticity of the WHOIS information > used in Domain Validation. Hm, yes, this is definitely an interesting question. The quality of information in whois databases and the DNS system. But WHOIS was not on our radar for Web security. I think Whois would merit its own case study like the one we have done for WebRTC http://www.strews.eu/images/webrtc.pdf because of all the privacy implications and the connections to the identity management systems and social networking etc. > > On the surface, it appears the integrity and authenticity of the > database is accepted when performing domain validations, but later > rejected for things like additional resource records that could > provide context specific security information. But I'm probably > reading or parsing it incorrectly. Interesting remark, can you specify a page where the authenticity of the database is accepted and then where later rejected? This sounds like an unintended contradiction. --Rigo
Received on Monday, 18 May 2015 19:14:57 UTC