[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

Randy,

Randy Bush wrote:
>> What I now heard was that the ssl connections will be
>> strengthened by adding client side certificates which can be used
>> for authentication. This might of course rise questions about the
>> use of third-party-CA for the certificates, but this is (as
>> clarified in this mail below) resolved by having the RIR being an
>> CA by itself.
> 
> so i am supposed to install the RIRs' certs in my browser as root 
> CAs and ignore the big hole for attack this opens?  i already 
> *remove* a bunch of root CAs when i bring up a new browser.  this 
> is the new internet.  get paranoid.
> 
> let the RIRs spend a few of the bucks they have getting their certs
> signed by a well-trusted root CA.

Certificates from the RIPE NCC's CA are not intended for 3rd party
authentication. They are only intended to allow the LIRs to
authenticate themselves to the RIPE NCC.

Some mail clients require that the RIPE NCC CA be installed as a root
CA before they will let the user send mail signed by a certificate
issued by the RIPE NCC CA. Therefore we provide an easy means for
users to do this. If you wish to use a mail client without
this restriction, there is no reason to trust the RIPE NCC's CA for
anything other than issuing your certificate.

It's not certificates for the RIPE NCC that are the issue
here, it's certificates for the LIRs, to be trusted by the RIPE NCC.
If the RIPE NCC were to trust certificates issued by another CA, then
we would be relying on their registration authority (RA). Not only
would the RIPE NCC have to trust a 3rd party to identify RIPE NCC
members, but users would need to provide a separate set of
documentation and probably also pay a fee to obtain their certificates.

-- 
Shane Kerr
RIPE NCC