[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Designating DNS discovery for non-HTTP URIs
I am starting to form the opinion that the DNS section should be
dropped altogether, and that a new section on authority should be added to
discuss the various views and potential issues here. Then the spec should
bounce this issue right back to the application owner asking: is an “HTTP-based
Resource Descriptor Discovery” appropriate for your application? I think the
issue has been resolved simply by including “HTTP-based” in the
name. If an HTTP-based solution is not suitable for an SMTP-related
application, a different discovery workflow is needed. Now, this different
workflow can be the same with the addition of the DNS idea we are tossing
around, or it can be the PKI idea below. This thought is still forming so I am very much open to other
views. EHL From: John Bradley
[mailto:jbradley@mac.com] Eran, I have been thinking about this issue of using DNS for a DNS
authority based scheme to delegate responsibility for mapping meta-data about
its resources. I feel torn between the practical issues of just doing it in
a way that people will be able to use most easily, and the overall design
principal of authority hierarchy in URIs. I agree with some that probably the
worst consequence is setting a bad example for others. If I step back a bit and ask the question is DNS the only
way a organization can assert it's authority outside of a scheme, it
struck me that perhaps there is another way that sidesteps the DNS issue. A signing cert from Verisign etc states that you have
control over a domain. Not a URI not a particular scheme like
https: for that host or domain, but the domain itself. Given the relative insecurity of DNS (leaving
dnssec aside for this conversation) I would rather trust
site-meta if it has been signed by the domain cert indicating it is
authoritative for mailto and or xmpp rather than looking to DNS. I think if site-meta is signed by the cert of the domain
then we maintain the authority chain though PKI rather than resolution. I am OK with that. (Mark please speak up if you find
this an awful principal) So all schemes SHOULD check the detached sig for
site meta, and site-meta is considered authoritative for all the
schemes it has maps for as long as the authority segment of the scheme matches
the CN of the cert. (Yes we may need to include subjectAltNames where the
value is a DNS name or some other matching rule) An alternative though weaker option for the RP is
to retrieve the site-meta over https:. That however is much
weaker as an attacker replacing a single text file on a site is a much easier
thing to do than getting the private key for a site to generate the sig. It would be up to the needs of the RP software to choose the
appropriate security. If we did something like that I could be persuaded
to drop the DNS check from your proposal. Peters DNS resolution proposal is a separate issue. Regards =jbradley On 9-Jan-09, at 8:56 PM, Eran Hammer-Lahav wrote:
I am happy to adjust it to “some
hesitation”... :-) (note,
my response will not make it onto the XRI list, hopefully JohnB will forward
it). From: http://www.w3.org/2001/tag/2008/12/10-minutes
On Jan 7, 2009, at 6:40 PM, Eran
Hammer-Lahav wrote: There
seems to be strong resistance in various communities to the idea that
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]