Hi Joe, Sent from my iPhone > On 1 Aug 2024, at 21:11, Joe Abley <jabley@xxxxxxxxxxxxxx> wrote: > > Hi Klaas, > >> On Aug 1, 2024, at 20:33, Klaas Wierenga via Datatracker <noreply@xxxxxxxx> wrote: >> >> Reviewer: Klaas Wierenga >> Review result: Has Nits >> >> The draft reads well and is clear. I have one question that is maybe worth >> answering in the security considerations. What is the impact of retrieving the >> trust anchors over http instead of https? Does that lead to a risk of ending up >> with an invalid set of trust anchors? >> >> Klaas > > There are risks of ending up with an invalid set of trust anchors regardless of what method is used to retrieve them. The use of TLS might mitigate some risks, but it does not eliminate them (e.g. it does not address the risk of a compromised CA issuing a certificate, or that the document being retrieved over HTTPS has been modified at rest by some unauthorised third party. True that it does not eliminate all risks, but I’d argue that the use of http instead of https leads to a much more trivial to exploit attack surface than your examples. > > There are compensatory controls that can be used to mitigate particular risks, but the decision to mitigate particular risks and the choice of mitigation will surely vary significantly depending on the nature of the relying party. For some applications, trust-at-first-use might be perfectly appropriate. Others might require different measures to be taken. Some might consider retrieving the XML document described in this document to be too risky to do at all, and might insist on manual, in-person attestations and verification of new trust anchors before use. > > I think it would be inappropriate for this document to try and catalogue all possible use-cases and risks around this. However, I can see how it might be useful to add a sentence saying this kind of thing out loud. I have not discussed this with my co-authors but I am interested to hear their reaction. I think that position is reasonable, and I would be happy with such a sentence! Klaas > > > Joe > -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx