This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Millnert
millnert at gmail.com
Wed May 4 19:45:44 CEST 2011
Brian, On Wed, May 4, 2011 at 12:24 PM, Brian Nisbet <brian.nisbet at heanet.ie> wrote: > On 04/05/2011 16:57, Sascha Luck wrote: >> >> On Wed, May 04, 2011 at 05:50:06PM +0200, Erik Bais wrote: >>> >>> It's not that RIPE NCC is owned by a government or that ROA's or >>> certificates are something that the Dutch government could seize or >>> that an evil government would/could do so (under Dutch law), in order >>> to shutdown the internet or an ISP.. There are far better >>> (more effective) ways of doing so, if you remember what happened in >>> Egypt / Libya etc.. Power down datacenter (y/n) ... >> >> The egyptian ex-government had to ring each SP and tell them to pull >> their advertisements. At least one of whom (for a while) appears to have >> told them to go shite. >> >> Having a central authority (especially one that's beholden to 20+ >> governments via the EU) makes that *much* easier. > > I really don't think it does. You seem to be imagining a scenario where a > national governement would just ring up the NCC and say, "revoke these > certs." I have seen no evidence to suggest this risk is anything close to > real. I suspect that a for profit global megacorp running such a > certification system would be far more vulnerable to such measures, but even > then, I don't see this as a large risk. It's not about "not seeing a risk" as much as it is about _making sure_, in the very design of the system, that it is *not possible* to abuse. Or at the very least extremely hard (global conspiracy kind of hard), to abuse. That would lend a bit more credit to the system. That would mean, of course, that no revocation of any certificate from any single central authority can affect routing on multiple networks. (This list goes on.) The success of deployment RPKI&siblings is inversely proportional to the amount of abuse it makes possible -- I very much would like a much, much different balance than the proposals as they are. As David suggests, much if not all of this can already be achieved using RPSL - save BGP integration... Kind Regards, Martin
- Previous message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
- Next message (by thread): [address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]