This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Larry J. Blunk
ljb at merit.edu
Wed Jul 16 18:20:08 CEST 2003
On Mon, 2003-07-14 at 05:15, George Michaelson wrote: > On Mon, 14 Jul 2003 07:47:11 +0200 Patrik Fältström <paf at cisco.com> wrote: > > > On måndag, jul 14, 2003, at 02:53 Europe/Stockholm, Sanjaya wrote: > > > > > Yes we run our own root-CA, and the first step is for the client > > > to install APNIC root CA in its trusted root store. > > > > Good. > > > > > We're using the OpenCA software (www.openca.org) and modify > > > it to suit our purpose. When we issue a certificate, an e-mail > > > containing download url + instruction is sent to the requestor. > > > > ...which imply each customer/user of yours have to get a certificate > > from you which they are to use in the communication with you? > > > > paf > > > > Yes. > > There are open questions here, about capabilities in the wider community to > understand PKI, and also about the nature of certification: right now we are > only doing identity certificates for people, but we are using them to > gateway access into I.T. Systems, which makes them agents for authorization as > well as authentication. They are being presented to SSL enabled webservers, > which then use the identity knowledge to decide to enable/permit a privileged > operation like a whois object update. Right now, the APNIC model has stored > tokens in the web database backend, but we'd expect that we could bypass those, > if we took the PKI model all the way to the whois. > > When we discuss PKIX, and things like S-BGP or SO-BGP, it introduces questions > about how we will tie certificates to resources, what are the properties of the > certificate we need to play with to represent the resource, how 'unitary' are > these assertions or can they authenticate a range, and bless instances of the > sub-range as well.. This is an area we are going to need to discuss widely. > > The Lynn/Kent/Seo draft on X.509 Address and AS identifiers in certificates is > the first document I've seen coming from the IETF which treads into this area > and I think the RIR community needs to review and participate in this > discussion. > > draft-ietf-pkix-x509-ipaddr-as-extn-01.txt > > cheers > -George The following Internet Draft was published a few weeks ago -- http://www.ietf.org/internet-drafts/draft-weis-sobgp-certificates-00.txt It employs a "web of trust" model. The exact role of the RIR community under this model seems to be somewhat murky. -Larry Blunk
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]