DNS spoofing and poisoning..

Brad Fitzpatrick brad at danga.com
Sat May 21 13:47:05 PDT 2005


DNS poisioning... no.  DNS-SEC?  :)  Something simple like including the
IP address that corresponds to a hostname isn't so easy because lots of
sites have tons of IPs, and do round-robin, or do geographic load
balancing.  Open to easy band-aid suggestions, though.

We've talked about explicitly not going down the road of key revocation.
We're not trying to reinvent PGP.

When you get an assertion from the server that somebody owns a URL tree,
that assertion isn't good for life.  It applies to that moment.

So in the blog context:  a spammer takes over a popular domain to get
some good rights to go spam everybody.  The network quickly adapts as
people take that URL off their "blog roll" or "friend's list" and quickly
that identity isn't good anymore.

The point of OpenID is to be dead simple, short-comings and all, so it's
actually adopted.  Things like comment-signing, priviledge passing, etc.,
can all be added on later atop the authentication phase, decided between
parties that support it, later formalized as some sort of defacto
extension.  (to this defacto "spec")  For instance, we'll probably ask
sites like Flickr that post to LJ by taking LJ user's passwords to give us
their RSA public key in the auth request, and ask for "atom-post"
privileges, and we'll encrypt and send back a priviledge token then can
use for one time or some short period of time to only post to LJ.  And
that's all not part of OpenID... but something we'll layer on later, and
make available to anybody who wants to use it.

- Brad



On Sat, 21 May 2005, Troy Benjegerdes wrote:

> Is there anything in the current protocol to mitigate DNS spoofing
> and cache poisoning attacks?
>
> The other thing I suspect will happen are people like myself who have a
> unix box at home or a hosted domain they can set an OpenID server up on,
> but then for whatever reason, lose the domain.
>
> Is this dealt with by the OpenID server private key? How will key revocation
> and updates be handled? Are we not that far yet?
>
> This stuff gets to be a mess once you get into it..
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>


More information about the yadis mailing list