zlacker

[parent] [thread] 3 comments
1. efitz+(OP)[view] [source] 2023-05-04 20:36:57
If you want to prove domain ownership, you have to do it at the domain level.

The ability to serve a file “www.example.com” in no way demonstrates ownership of “example.com”; it demonstrates that you control www.example.com.

If you want to prove ownership of a second level domain you must do it through a record in DNS, or through demonstrating control of something that is publicly known to control the domain such as the administrative contact emails.

This really is a solved problem in the PKI space; they should have borrowed that rather than invent their own.

replies(1): >>stevek+n1
2. stevek+n1[view] [source] 2023-05-04 20:44:15
>>efitz+(OP)
As said multiple times in this thread, the primary way of identifying yourself in this protocol is a TXT record in DNS.
replies(1): >>gkbrk+vT
◧◩
3. gkbrk+vT[view] [source] [discussion] 2023-05-05 04:15:12
>>stevek+n1
The "primary" way doesn't really matter if a user checks their app and sees that it was verified.

Unless the UI makes it clear it was verified with "non-primary" methods so users can be cautious, any method of verification is essentially "primary" from the user POV.

replies(1): >>stevek+5Z
◧◩◪
4. stevek+5Z[view] [source] [discussion] 2023-05-05 05:24:19
>>gkbrk+vT
Yes. It is a problem that this method has issues. They’ll be fixed. My point is, they did not ignore that case, they focused on it! This is just a bug in an additional method.
[go to top]