On Apr 3, 2014, at 4:50 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
ps. The other reason for using https is privacy to reduce traffic analysis
and other meta-data review. This is quite separate from keeping IETF data
'confidential'.
I’m actually not in the least interested in IETF data “confidentiality”. It’s
not confidential.
If someone can hijack 8.8.8.8 and send it to a DNS server in their favorite
country, they can hijack ietf.org or 2001:1900:3001:11::2c and send it to a web
server of their choice. I’d like for information from the IETF to be verifiably
authentic. That includes, of course, a signature on the file and at least a
signature in flight. If the way to get something equivalent to a signature is
encryption in the IETF’s private key, whatever. But not a key that can be
copied and reused to sign/encrypt corrupted data.
signature.asc
Description: Message signed with OpenPGP using GPGMail