Understood. I'm not suggesting the web PKI be used to authenticate IP address space ownership. I'm suggesting that the following chain would be sufficient:
* RPKI authenticates the routing information, which includes the IP address space and the https URLs for each geofeed file. * Web PKI authenticates the data served at that URL. * Client verifies that the IP ranges in the geofeed data are contained within the (RPKI-authenticated) routing information.
This is not quite right. It is true that theWebPKI provide authentication and integrity when https:// is used, but this is not required. If http:// were used, and the file was modified in transit by an attacker, the RPKI signature check would fail.
Yes. Which is why I'm suggesting that you mandate https.
I do not have a problem mandating the use of https:// for authentication and integrity protection of the file. I think that is shown in the examples. I am saying that doing so does not "chain" the trust models.
Russ
|
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
