On Apr 3, 2014, at 4:50 PM, Dave Crocker <dhc@xxxxxxxxxxxx> wrote: > ps. The other reason for using https is privacy to reduce traffic analysis and other meta-data review. This is quite separate from keeping IETF data 'confidential'. I’m actually not in the least interested in IETF data “confidentiality”. It’s not confidential. If someone can hijack 8.8.8.8 and send it to a DNS server in their favorite country, they can hijack ietf.org or 2001:1900:3001:11::2c and send it to a web server of their choice. I’d like for information from the IETF to be verifiably authentic. That includes, of course, a signature on the file and at least a signature in flight. If the way to get something equivalent to a signature is encryption in the IETF’s private key, whatever. But not a key that can be copied and reused to sign/encrypt corrupted data.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail