[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] trust profiles for XRD
On Wed, Dec 17, 2008 at 3:20 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote: > Basically, it is kind of unfortunate, in addition to what George has pointed > out, if we consider the case of domain owner change into the scope, it > breaks. Agreed, the http authority trust profile is at risk from this attack. I'm OK with that risk. Quite frankly, if a domain gets hijacked far, far more is at stake than XRD or OpenID. Monetary losses are significant and immediate. (Aside: it's also important to consider the case of *legitimate* transfer of authority. Just because the domain owner changed doesn't make the change malicious.) At any rate, I've added a "security considerations" section to the http authority trust profile. Nat, I see you put some comments in the http authority trust profile about how it could be used for DCE authorities: it could not. Someone who wants to use DCE would define a DCE trust profile for XRD that specifies the necessary security rules. Likewise for absolute XRIs. Cheers, Brian
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]