> Surely someone, somewhere, has to take some responsibility for allowing > domains to be created which are clearly and obviously bogus. Who could > possibly have a reason to register paypal-unlocking.net? The problem is, there's no such thing as a domain which is, or which is not "clearly and obviously bogus". There won't be internationally applicable rules (i.e., blacklists and whitelists) that describe the "validity" of domain names. What if there actually exists a company called paypal unlocking (TM) somewhere in the remote outskirts of a tasmanian village? We simply can't build security mechanisms which rely on domain names. That has been, and still is, the major problem with protocols like SSL/TLS which are otherwise technically sound. Cheers, Stefan. ------------------------------------------------------- Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 stefan.kelm@xxxxxxxxxx, http://www.secorvo.de/ ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
