On Mon, May 3, 2021 at 10:40 AM Russ Housley <hous...@vigilsec.com> wrote:
> > Understood. I'm not suggesting the web PKI be used to authenticate IP > address space ownership. I'm suggesting that the following chain would be > sufficient: > > * RPKI authenticates the routing information, which includes the IP > address space and the https URLs for each geofeed file. > * Web PKI authenticates the data served at that URL. > * Client verifies that the IP ranges in the geofeed data are contained > within the (RPKI-authenticated) routing information. > > > This is not quite right. It is true that theWebPKI provide authentication > and integrity when https:// is used, but this is not required. If http:// > were used, and the file was modified in transit by an attacker, the RPKI > signature check would fail. > Yes. Which is why I'm suggesting that you mandate https. I'm obviously not aware of the potential operational complications of doing so, as I don't work in this area. There may be good reasons why this is impractical. The tradeoff, however, is a more complex client ecosystem, which must accommodate two authentication methods instead of one. Kyle
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
