This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] ROA and for x.509 certificate (RDAP record)
- Previous message (by thread): [db-wg] Decision on NWI-2 Historical queries
- Next message (by thread): [db-wg] ROA and for x.509 certificate (RDAP record)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at interall.co.il
Tue Apr 12 17:23:45 CEST 2022
We are working on a PoC in regards to DR with AWS. We are doing BYOIP and were asked to create an ROA record which I can easily understand. But AWS also requests an X.509 certificate as per: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html which needs to be added to a new "descr:" tag They state in their page: "When you provision an address range for use with AWS, you are confirming that you control the address range and are authorizing Amazon to advertise it. We also verify that you control the address range through a signed authorization message. This message is signed with the self-signed X.509 key pair that you used when updating the RDAP record with the X.509 certificate. AWS requires a cryptographically signed authorization message that it presents to the RIR. The RIR authenticates the signature against the certificate that you added to RDAP, and checks the authorization details against the ROA." Why isn't creating an ROA proof enough that I control the address range? Why 2 forms of authentication needed (ROA & X.509)? What will happen to the pollution of the descr tag if others like Azure and GCP decide on something similar? Should the community form a standard rather than let the descr field become polluted? Regards, Hank
- Previous message (by thread): [db-wg] Decision on NWI-2 Historical queries
- Next message (by thread): [db-wg] ROA and for x.509 certificate (RDAP record)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]