nanog mailing list archives
Re: IP Block 99/8 (DHS insanity - offtopic)
From: Sean Donelan <sean () donelan com>
Date: Tue, 24 Apr 2007 06:24:46 -0400 (EDT)
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like: 1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites) This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that: 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1 with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better.
The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same
thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me".An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't
change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
Current thread:
- RE: IP Block 99/8 (DHS insanity - offtopic), (continued)
- RE: IP Block 99/8 (DHS insanity - offtopic) Marcus H. Sachs (Apr 24)
- Re: IP Block 99/8 (DHS insanity - offtopic) J. Oquendo (Apr 24)
- RE: IP Block 99/8 (DHS insanity - offtopic) Marcus H. Sachs (Apr 24)
- Re: IP Block 99/8 (DHS insanity - offtopic) Leigh Porter (Apr 24)
- RE: BGP certificate insanity was: (DHS insanity - offtopic) michael.dillon (Apr 24)
- Re: BGP certificate insanity was: (DHS insanity - offtopic) Joe Abley (Apr 24)
- RE: BGP certificate insanity was: (DHS insanity - offtopic) michael.dillon (Apr 24)
- Re: BGP certificate insanity was: (DHS insanity - offtopic) Joe Abley (Apr 24)
- RE: BGP certificate insanity was: (DHS insanity - offtopic) Chris L. Morrow (Apr 24)
- Re: IP Block 99/8 (DHS insanity - offtopic) Chris L. Morrow (Apr 23)
- Re: IP Block 99/8 (DHS insanity - offtopic) Sean Donelan (Apr 24)
- Re: IP Block 99/8 (DHS insanity - offtopic) Jeroen Massar (Apr 24)
- Re: IP Block 99/8 (DHS insanity - offtopic) Chris L. Morrow (Apr 24)
- RE: IP Block 99/8 Shai Balasingham (Apr 20)
- Re: IP Block 99/8 James Blessing (Apr 23)
- Re: IP Block 99/8 Owen DeLong (Apr 23)
- Re: IP Block 99/8 Suresh Ramasubramanian (Apr 23)
- RE: IP Block 99/8 michael.dillon (Apr 23)