To:
"'Hollenbeck, Scott'" <shollenbeck@verisign.com>
Cc:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
Bruce Tonkin <Bruce.Tonkin@melbourneit.com.au>
Date:
Wed, 16 Jan 2002 12:42:34 +1100
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: <info> Command and authInfo
Hello Scott, > > I'm not so sure of the benefit in putting <authInfo> into the > <update>, > <delete> and <renew> commands given the discussion we had on > the list some > time ago (we DID have it that way, and then folks wanted it > removed from all > but <transfer>), but I understand what you're saying about > the dates and the > <info> command. I can't remember the previous discussions, but I am only saying that it should be available OPTIONALLY. There are some better securiy models possible, where passwords may be dynamically updated, that might result in transaction security for updates etc being done on a per domain name level, rather than relying solely on registrar security/authentication (via the login command). A potential security flaw in the current system, is that if the registrar is compromised, than an un-authorised entity could potentially have access to update etc - all records associated with that particular registrar. I think from a generic registry perspective, it should be possible to provide better security around commands that change the status of individual objects in the registry. I can think of value added services, where additional security could be purchased from the registry via registrars for some domain names. Regards, Bruce Tonkin