DNSSEC is already a foundation for PKI and it's a mandated requirement for new gTLDs. While DANE for SMTP is not ready for prime time, we could provisionally have only URS provider sign e-mail with S/MIME and include a random token in the subject there needs to be in the answer for recognition: From: URS Provider Subject: Suspension of xxxx.gtld , token 1234567890 Signed: URS Provider (S/MIME) From: Registry: Subject: Re: Suspension of xxxx.gtld , token 1234567890 (not required to be signed) 18 months from now, signing with DANE will likely be feasible to be a requirement to both URS Provider and registry. This way we also keeps authentication inside the DNS system and foster the roll-out of security measures. Rubens On Jul 10, 2013, at 11:37 AM, "Matthias Pfeifer" <info@freshmail.de> wrote:
John,
Betreff: Re: [gtld-tech] gtld-tech URS technical requeriments
ICANN should not be mandating that any of this be done in an automated fashion, nor should it mandate things like "all e-mails sent by Registry Operator to the URD Provider MUST be cryptographically signed using a S/MIME certificate....."
What are you going to do when sleazy domainers start phishing you with fake messages from URS providers saying to turn their domains back on?
While I agree that it's silly to try and define all of the low level details, I don't think it's silly to give some thought to security issues like how the URS providers and registries recognize each other.
almost a serious question.
What about a PKI/Web-Of-Trust, managed by the URS provider instead of S/MIME?
But at least I think it is too complex to manage and may delay the URS implementation/process.
Matthias Pfeifer - dotVersicherung