IRT object and authentication schemes

Havard Eidnes wrote:

Håvard,

> someone's prodded me wrt. the IRT object registration.  This finally
> made me take a closer look at the available documentation defining
> this object type.  I have one question (well, I may have more, but
> this one is the most important one, I think):
> 
> In section 5 of
> 

[SNIP]

> Is there a logical AND between these two items?  (I think there is,
> but it really ought to be said explicitly, and the "should pass"
> phrase should be replaced by "must pass both of".)

Indeed, there is a logical AND. Both the auth: for (any of the) maintainers AND 
the auth: for the IRT object MUST pass. So, yes, it should (or must?) be a "MUST 
pass".

> This is pretty crucial when evaluating what should be registered in
> the IRT object, as unwise choices (no overlap between irt auth: and
> mntnr auth:) on this front will at best make it very cumbersome to add
> IRT references to inetnum / inet6num objects, requiring nested
> signatures (I wonder, does the RIPE DB support that?).

The usage of two separate auth: keys is meant to be and yes the database 
supports double authorization. First the LIR can make the request to add the 
mnt-irt: attribute to the inet[6]num, sign it and pass this on to the IRT. The 
IRT in turn signs the signed request to show that the IRT agrees.

> Oh, yes, I also think the IRT definition document needs to say a few
> words about what specific roles the admin-c and tech-c of an IRT
> object is supposed to fill.

In fact this is no different than with most other objects that (can) have 
admin-c and tech-c fiels. E.g. the admin-c can be the head of the IRT and tech-c 
can be his/her co-workers. Both can be either references to person or role objects.

Regards,

Menno Pieters

-- 
Menno Pieters - Stelvio
Postbus 2171, 3800 CD Amersfoort, the Netherlands
Zonnehof 41,  3811 ND Amersfoort, the Netherlands
phone: +31-33-4.697.340 / fax: +31-33-4.697.341
XOIP: +31-84-8.720.349 / Web: http://www.stelvio.nl/