At 12:46 PM +0200 2005-07-19, Iljitsch van Beijnum wrote:
What public key crypto are you talking about?
The public key crypto that powers the authentication in SSL.
But that has nothing to do with the DNS. Moreover, mikerowesoft.com would presumably have an SSL certificate issued to mikerowesoft.com and which claimed only that it was mikerowesoft.com and not microsoft.com. The SSL certificate would check out completely, and still have absolutely nothing whatsoever to do with the DNS, cache pollution/poisoning, etc....
You're on a slippery slope here. At what point do you think that you can stop protecting the users? How do you justify that?
I justify it because "protecting" users agains the fact that similar looking/sounding names actually map to completely different things ultimately can't be done, so it's better to not do it at all so users get burned by relatively harmless examples of this phenomenon (www.gougle.com and the like) so they understand it and foster the appropriate level of distrust.
Actually, that's a statement that I can agree with. My point was that, if you're going to try to protect the users against homophone/homograph attacks, you need to do it in a standardized way. Morover, the standards for controlling that need to be held by separate entities from those who are creating the tools which will implement those standards -- witness Microsoft's recent downgrading of Claria/Gator as a malware vendor, simply because they're looking at buying the company. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.