Eliot Lear <[email protected]> wrote: > So this raises an interesting question, which is probably more > appropriate for RATS. What information should be shared with whom and > how? The voucher is shipped in the clear without much prompting.
How so in the clear?
It's DNS-ID or pinned TLS from Registrar to MASA (which is across the Internet).
Getting a voucher requires a voucher-request, signed by the device.
That could be obtained by a malicious registrar, true, but that requires
on-link-ish access to the device.
> There are different views about how sensitive software inventory is.
> This is why the draft doesn't take a position on the subject, other
> than to allow for the notion that some requests *may* need to be
> authenticated.
I agree that this is the right approach for the document to take.
I'm expressing the view that it's fundamentally security through obscurity.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
