On Mon, May 3, 2021 at 10:40 AM Russ Housley <housley@xxxxxxxxxxxx> wrote:
Understood. I'm not suggesting the web PKI be used to authenticate IP address space ownership. I'm suggesting that the following chain would be sufficient:* RPKI authenticates the routing information, which includes the IP address space and the https URLs for each geofeed file.* Web PKI authenticates the data served at that URL.* Client verifies that the IP ranges in the geofeed data are contained within the (RPKI-authenticated) routing information.This is not quite right. It is true that theWebPKI provide authentication and integrity when https:// is used, but this is not required. If http:// were used, and the file was modified in transit by an attacker, the RPKI signature check would fail.
Yes. Which is why I'm suggesting that you mandate https.
I'm obviously not aware of the potential operational complications of doing so, as I don't work in this area. There may be good reasons why this is impractical. The tradeoff, however, is a more complex client ecosystem, which must accommodate two authentication methods instead of one.
Kyle
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
