[gtld-tech] gtld-tech URS technical requeriments
Rubens Kuhl
rubensk at nic.br
Wed Jul 10 14:46:18 UTC 2013
DNSSEC is already a foundation for PKI and it's a mandated requirement for new gTLDs. While DANE for SMTP is not ready for prime time, we could provisionally have only URS provider sign e-mail with S/MIME and include a random token in the subject there needs to be in the answer for recognition:
From: URS Provider
Subject: Suspension of xxxx.gtld , token 1234567890
Signed: URS Provider (S/MIME)
From: Registry:
Subject: Re: Suspension of xxxx.gtld , token 1234567890
(not required to be signed)
18 months from now, signing with DANE will likely be feasible to be a requirement to both URS Provider and registry. This way we also keeps authentication inside the DNS system and foster the roll-out of security measures.
Rubens
On Jul 10, 2013, at 11:37 AM, "Matthias Pfeifer" <info at freshmail.de> wrote:
> John,
>
>
>> Betreff: Re: [gtld-tech] gtld-tech URS technical requeriments
>>
>>> ICANN should not be mandating that any of this be done in an automated
>>> fashion, nor should it mandate things like "all e-mails sent by
>>> Registry Operator to the URD Provider MUST be cryptographically signed
>>> using a S/MIME certificate....."
>>
>> What are you going to do when sleazy domainers start phishing you with
> fake
>> messages from URS providers saying to turn their domains back on?
>>
>> While I agree that it's silly to try and define all of the low level
> details, I don't
>> think it's silly to give some thought to security issues like how the URS
>> providers and registries recognize each other.
>
> almost a serious question.
>
> What about a PKI/Web-Of-Trust, managed by the URS provider instead of
> S/MIME?
>
> But at least I think it is too complex to manage and may delay the URS
> implementation/process.
>
>
> Matthias Pfeifer - dotVersicherung
>
More information about the gtld-tech
mailing list