At Tue, 19 Jul 2011 05:51:50 -0700, Terry Manderson wrote: > > The win is to eliminate a threat that has already been identified on the > list.
What threat? Please describe it. The only "threat" I saw discussed is, in my opinion, a non-issue: an attacker can mangle filenames in the unprotected data stream, thus causing objects to fail validation. An attacker who can do that can also mangle the objects themselves in the unprotected data stream, which will also cause the objects to fail validation, so being able to change the filenames doesn't give the attacker anything new. > The suggestion of adding the mapping/type into the Manifest (while > awkward in ietf processing) gives both the mapping result, and > removes the CA/Repository threat identified. The file types are already in the manifest, because the file types are encoded in the filenames, which are in the manifest. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
