This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sanjaya
sanjaya at apnic.net
Fri Jul 18 06:05:04 CEST 2003
Hi all, APNIC has a "terms and conditions" but it is not yet a formal CPS. We are working on that. We also have investigated cross-certification from a well known commercial CA on February this year. However, the quoted price of US$50,000 a year is not justified in our opinion. We are also considering a formal audit once our CPS has been formalised. Please note that at present our certificates are used for identifying member staff to access internal aplication (MyAPNIC), so the subject of third-party trust issues may not yet apply. By the time 3rd parties become involved (eg allocation/route certification), we would certainly have more standard CA/PKI structures in place. This is a new area for most of us, and we are very open to advice and input from the community. Cheers, Sanjaya APNIC CA Project Manager > -----Original Message----- > From: db-wg-admin at ripe.net [mailto:db-wg-admin at ripe.net] On > Behalf Of Randy Bush > Sent: Thursday, 17 July 2003 12:52 AM > To: Jan Meijer > Cc: Patrik Fältström; ncc-services-wg at ripe.net; db-wg at ripe.net > Subject: Re: [db-wg] Re: [ncc-services-wg] X.509 > authentication in the RIPE Database > > > >> so i am supposed to install the RIRs' certs in my browser as root > >> CAs and ignore the big hole for attack this opens? i already > >> *remove* a bunch of root CAs when i bring up a new browser. this > >> is the new internet. get paranoid. > > I might overlook something but what's the big hole > > someone getting at the root CA key at an RIR > > > Specify 'few'. As far as I know this it is not cheap to > have your PKI > > signed by one of the 'well-trusted' root CAs. > > maybe not cheap for a student, but an RIR can afford it > > > Or are you suggesting that RIPE should select one of the > > commercial root CAs and get all the client certificates from that > > shop? > > no, the RIRs can sign their customers certs. > > maybe a tutorial is needed on how this stuff works. paf, is there > one readily available? > > > From a trust point of view it is in fact *better* to consciously > > import the RIPE root-ca certificate in your browser then to > > simply trust what's in your root certificate store. > > when the RIRs' procedures to protect their root CA keys are audited > by third parties who have the expertise to do so. > > randy >
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]