nanog mailing list archives
Re: [ncc-services-wg] RPKI Resource Certification: building features
From: Owen DeLong <owen () delong com>
Date: Mon, 4 Oct 2010 02:59:53 -0700
I'll go a step further and say that the resource holder should be the ONLY holder of the private key for their resources. OwenIf you're saying that ISPs can only participate in an RPKI scheme if they run their own Certificate Authority, then I think that would practically ruin the chances of Certification actually ever taking off on a large scale. -Alex
No... I'm saying that if ISPs aren't the only entities that hold their private keys, then they aren't the only entities that can sign their resources. If you choose to delegate the CA role for signing your resources to someone else, then, obviously, you have to give them a valid private key with which to sign those resources. However, in doing that, you've created a situation where your signature is now much easier to forge. Kind of like automatic signing machines for checks. Benefit: The accounting department can sign thousands of checks and the CFO doesn't have to. Draw-back... The accounting department can sign thousands of checks without the CFO knowing they did so. Owen
Current thread:
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 03)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 03)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 04)
- Message not available
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Owen DeLong (Oct 03)
- Message not available
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 04)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Alex Band (Oct 05)
- Re: [ncc-services-wg] RPKI Resource Certification: building features Randy Bush (Oct 05)
- <Possible follow-ups>
- Re: [ncc-services-wg] RPKI Resource Certification: building features mkarir (Oct 04)