Script updating gh-pages from 34b0cf1. [ci skip]

Cybersecurity-LINKS · Jul 18, 2024 · 3db4848 · 3db4848
1 parent 823f7e5
commit 3db4848
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/draft-vesco-vcauthtls.html b/draft-vesco-vcauthtls.html
@@ -1655,7 +1655,7 @@ <h2 id="name-security-considerations">
 Further considerations can be made on the DID resolution process. Assuming that a DID resolution is performed in clear, a man-in-the-middle could impersonate the DLT node, forge a DID Document containing the authenticating endpoint's DID, associate it with a key pair that he owns, and then return it to the DID resolver. Thus, the attacker is able to compute a valid CertificateVerify message by possessing the long term private key. In practice, the man-in-the-middle attacker breaks in transit the immutability feature provided by the DLT, i.e. the RoT for the public keys.
 A possible solution to this attack is to esthablish a TLS channel towards the DLT node and authenticate only the latter to rely on the received data. The DLT node <span class="bcp14">MUST</span> be authenticated through an X.509 certificate. The session resumption and 0 round-trip time (0-RTT) features of TLS 1.3 can be used to reduce the overhead of establishing this TLS channel.
 In addition, the communication with the DLT node can be protected with Internet Protocol Security
-(IPsec) <span>[<a href="#RFC4301" class="cite xref">RFC4301</a>]</span> <span>[<a href="#RFC6071" class="cite xref">RFC6071</a>]</span>  and Internet Key Exchange Version 2 (IKEv2) <span>[<a href="#RFC7296" class="cite xref">RFC7296</a>]</span> in endpoint-to-endpoint transport mode for even better performance in term of latency of DID resolution.<a href="#section-7-1" class="pilcrow">¶</a></p>
+(IPsec) <span>[<a href="#RFC4301" class="cite xref">RFC4301</a>]</span> <span>[<a href="#RFC6071" class="cite xref">RFC6071</a>]</span> in endpoint-to-endpoint transport mode for even better performance in term of latency of DID resolution. Mutual authentication in Internet Key Exchange Version 2 (IKEv2) <span>[<a href="#RFC7296" class="cite xref">RFC7296</a>]</span> can be performed with raw public keys.<a href="#section-7-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="privacy-considerations">

diff --git a/draft-vesco-vcauthtls.txt b/draft-vesco-vcauthtls.txt
@@ -608,9 +608,10 @@ Figure 1: Generation of the identity compliant with the SSI model and
    (0-RTT) features of TLS 1.3 can be used to reduce the overhead of
    establishing this TLS channel.  In addition, the communication with
    the DLT node can be protected with Internet Protocol Security (IPsec)
-   [RFC4301] [RFC6071] and Internet Key Exchange Version 2 (IKEv2)
-   [RFC7296] in endpoint-to-endpoint transport mode for even better
-   performance in term of latency of DID resolution.
+   [RFC4301] [RFC6071] in endpoint-to-endpoint transport mode for even
+   better performance in term of latency of DID resolution.  Mutual
+   authentication in Internet Key Exchange Version 2 (IKEv2) [RFC7296]
+   can be performed with raw public keys.
 
 8.  Privacy Considerations