On Tue, Jul 31, 2018 at 11:07:51AM +0000, Hollenbeck, Scott wrote: > Better? I hesitate to say "The transport used to access the IANA registries > SHOULD (or MUST) be over TLS" because that's not something the RDAP client > controls - it's controlled by IANA's web server (which, in fact, is currently > redirecting http connections to https).
Well, to a large extent it *is* something the RDAP client controls. If it starts out with http and waits to be redirected to https, it retains all the security vulnerabilities of unencrypted http, including the ability for an attacker to inject traffic with a fake reply, redirect to an attacker-controlled server, etc. An RDAP client that insists on TLS (to IANA) and performs certificate verification is assured of either getting validated data from IANA or a connection failure. Perhaps that's not always the best desired behavior, but it seems like it would be desired almost all of the time (hence, SHOULD). -Benjamin _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
