This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] RPKI Resource Certification: building features
- Previous message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
- Next message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Owen DeLong
owen at delong.com
Mon Oct 4 11:59:53 CEST 2010
> >> I'll go a step further and say that the resource holder should be >> the ONLY holder of the private key for their resources. >> >> Owen > > If you're saying that ISPs can only participate in an RPKI scheme if they > run their own Certificate Authority, then I think that would practically > ruin the chances of Certification actually ever taking off on a large > scale. > > -Alex No... I'm saying that if ISPs aren't the only entities that hold their private keys, then they aren't the only entities that can sign their resources. If you choose to delegate the CA role for signing your resources to someone else, then, obviously, you have to give them a valid private key with which to sign those resources. However, in doing that, you've created a situation where your signature is now much easier to forge. Kind of like automatic signing machines for checks. Benefit: The accounting department can sign thousands of checks and the CFO doesn't have to. Draw-back... The accounting department can sign thousands of checks without the CFO knowing they did so. Owen
- Previous message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
- Next message (by thread): [ncc-services-wg] RPKI Resource Certification: building features
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]