Thank you for the review. On Aug 1, 2024, at 11:33, Klaas Wierenga via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Klaas Wierenga > Review result: Has Nits > > The draft reads well and is clear. I have one question that is maybe worth > answering in the security considerations. What is the impact of retrieving the > trust anchors over http instead of https? Does that lead to a risk of ending up > with an invalid set of trust anchors? I agree with Joe that we can't really list all the possible attacks and mitigations. To that end, I propose the following text be added to the Security Considerations: Some of the methods described (such as accessing over the web with or without verifying the signature on the file) have different security properties; users of the trust anchor file need to consider these when choosing whether to load the set of trust anchors. --Paul Hoffman -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
