"John Levine" <[email protected]> writes: > I'd look at RFC 9718, about publising the DNSSEC root keys since I'd expect it > to be published at roughly the same place. It might as well use a similar > method. The key file is XML rather than JSON for historical reasons, and there > is a detached signature which it appears nobody uses in favor of trusting the > https certificate when you download it from data.iana.org.
I think it may be critical to have a signature which is separate from the HTTPS cert because you want IANA to be the ultimate authority over the contents with zero dependency on another agent. Our current WebPKI doesn't really protect against malicious parents (or even malicious aunts and uncles except checking after the fact whether or not the cert you used was invalidly issued by the wrong authority). But, it certainly could be that the average implementation would never check that more decentralized signature in favor of just trusting their TLS stack. But the ability to trust an IANA controlled key itself is probably critical (IMHO) for absolute verification. -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
