On Mon, May 3, 2021, 11:28 AM Russ Housley <hous...@vigilsec.com> wrote:
> This is not quite right. It is true that theWebPKI provide authentication >> and integrity when https:// is used, but this is not required. If >> http:// were used, and the file was modified in transit by an attacker, >> the RPKI signature check would fail. >> > > Yes. Which is why I'm suggesting that you mandate https. > > > I do not have a problem mandating the use of https:// for authentication > and integrity protection of the file. I think that is shown in the > examples. I am saying that doing so does not "chain" the trust models. > Explain how an attacker could get a client to accept a forged geofeed data file authenticated as I have suggested, because I'm not seeing it. Kyle
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg