OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] Designating DNS discovery for non-HTTP URIs

I'd like to discuss this more (my mind isn't made up quite yet), so I'll proffer a side.

I think everyone agrees with your statement below, Eran, that "DNS has the most authority over any domain-level services. So if we allow DNS to state that HTTP has authority over non-HTTP URIs, we solve the authority problem".  The sticking point is whether this MUST occur, or simply CAN occur (i.e., does the spec mandate "Add DNS record to authorize" or "Add DNS record to forbid" -- see previous message for what this means).

Using "Add DNS record to forbid" would faciliate those in the HTTP-camp that don't want to munge with DNS, and would also allow the SMTP postmaster (via DNS) to reassert his/her "authority" if desired, albeit after the fact.  This compromise would likely spur adoption of XRD, while using "Add DNS record to authorize" would likely hamper adoption of XRD (think about when OpenID foundation makes email address into OpenID's -- how likely are they to accept XRD if it means everyone in OpenID land has to start messing with DNS to make things properly).

Addressing the "eager webmaster" concern, this is a non-issue from a practical perspective.  It's likely anything that this webmaster would be doing with mailto URI's would involve a non-smtp service.  Any software that the postmaster cares about uses DNS for discovery, and it's unlikely that XRD is going to replace MX records and such.   So, I'm not sure I see a threat of the webmaster somehow usurping meta-data about mailto URI's that the postmaster even cares about -- and if the postmaster ends up caring, he can use the "Add DNS record to forbid" mechanism and assert his will.


On Thu, Jan 8, 2009 at 4:44 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:

This is one of the options (see my reply to Peter). But it has to be "Add DNS record to authorize" and not "Add DNS record to forbid". The real problem is that an eager HTTP admin will be able to hijack an organization identity services or other sensitive discovery-based data without anyone having any control over it. In most companies, there is a clear separation between the postmaster and webmaster and we need to make sure not to introduce security issues.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]