In some client environments, it may be difficult to resolve all identity types. For example, handle resolution may involve DNS TXT queries, which are not directly supported from browser apps. Client implementations might use alternative techniques (such as DNS-over-HTTP) or could make use of a supporting web service to resolve identities.
The use of DNS from native devices has security & privacy implications. An attacker could listen, or worse, temper with DNS based identity resolution to lure users into entering their credentials on the wrong PDS.
We should adapt the spec to state that native devices "MUST" make use of SSL based solutions (DoH, HTTPS atproto identity resolution, or their own SSL protected service) in order to perform the resolution from a backend service.
Currently the OAuth spec states:
The use of DNS from native devices has security & privacy implications. An attacker could listen, or worse, temper with DNS based identity resolution to lure users into entering their credentials on the wrong PDS.
We should adapt the spec to state that native devices "MUST" make use of SSL based solutions (DoH, HTTPS atproto identity resolution, or their own SSL protected service) in order to perform the resolution from a backend service.