Re: question about Mark Koster's ARIN presentation

[Randy Bush <randy () psg com>]

> > We are using the same code that RIPE is using at http://certtest.ripe.net.
> > RIPE has been very kind to allow us to use their code.  As for ARIN,
> > this is a pilot and is certainly not a final fixed-feature set. The
> > first go of this is the "hosted" solution where an ISP can come into
> > ARIN's pilot and create ROAs based off of allocations that they
> > have received from ARIN. 
> >
> > All the ROAs will be placed into a rsync repository that can be retrieved 
> > and validated. Specifically, here are the features that are a part of the 
> > system:
> >
> > *  Enables ARIN resource holders to request certificates for their IPv4 and 
> >    IPv6 Provider Aggregatable (PA) resources
> > *  Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) 
> >    for their PA address space
> > *  Provides a public repository of certificates and ROAs
> > *  Handles key rollovers and revocations
>
> the simple version of the question: who holds my private key(s)?

i guess the answer is ARIN does.  not very private are they.

> the longer version: does this implement my having my own subsidiary CA
> with it communiciating with ARIN's and RIPE's ... using the protocols of
> the ietf sidr work?

i guess not.

so how do i, a transit provider arin member, get certs and roas for my
downstream multi-homed customers?

randy