On Mon, May 3, 2021, 11:28 AM Russ Housley <housley@xxxxxxxxxxxx> wrote:
This is not quite right. It is true that theWebPKI provide authentication and integrity when https:// is used, but this is not required. If http:// were used, and the file was modified in transit by an attacker, the RPKI signature check would fail.Yes. Which is why I'm suggesting that you mandate https.I do not have a problem mandating the use of https:// for authentication and integrity protection of the file. I think that is shown in the examples. I am saying that doing so does not "chain" the trust models.
Explain how an attacker could get a client to accept a forged geofeed data file authenticated as I have suggested, because I'm not seeing it.
Kyle
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
