nanog mailing list archives
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 23 Nov 2005 20:44:42 -0500
In message <20051124113104.0bd275d2 () garlic apnic net>, George Michaelson writes :
According to what I understand, there have to be two certificates per
entity:
one is the CA-bit enabled certificate, used to sign subsidiary
certificates about resources being given to other people to use.
the other is a self-signed NON-CA certificate, used to sign
route assertions you are attesting to yourself: you make this
cert using the CA cert you get from your logical parent.
Or your parent could have a CA and issue you two certs, one for signing
route assertions and one for signing certificates you issue to your
downstreams. That in turn has another interesting implication: an ISP
can *enforce* a contract that prohibits a downstream from reselling
connectivity, at least if the resold connectivity includes a BGP
announcement -- the ISP would simply decline to sign a CA certificate
for its customer, thereby depriving it of the ability to delegate
portions of its address space. (N.B. Certificates include usage
fields that say what the cert is good for.)
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: BGP Security and PKI Hierarchies, (continued)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 24)
- Re: BGP Security and PKI Hierarchies Michael . Dillon (Nov 25)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 25)
- RE: BGP Security and PKI Hierarchies Matthew Kaufman (Nov 25)
- Re: BGP Security and PKI Hierarchies Michael . Dillon (Nov 25)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Sandy Murphy (Nov 22)
- RE: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Bora Akyol (Nov 22)
- RE: BGP Security and PKI Hierarchies (was: Re: Wifi Security) william(at)elan.net (Nov 22)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Sandy Murphy (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) George Michaelson (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) william(at)elan.net (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) George Michaelson (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) George Michaelson (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Steven M. Bellovin (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies Florian Weimer (Nov 24)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) George Michaelson (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) Randy Bush (Nov 23)
- Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) George Michaelson (Nov 23)