[ncc-services-wg] How to certify resources

Hello Alexander,

On 3 Jan 2011, at 13:07, Alexander.Koeppe at merck.de wrote:

>
> Hello List,
>
> I'm still a bit confused, what I've to do with this new certification
> approach.
>
> My LIR portal user has the "certification" permission.
> When I'm clicking on "certification" in the left pane, it says me  
> that I
> don't have a CA yet.
> Well of course not. Not in the Internet.
> Do I need to create a CA over the portal frontend?
> And if yes, do I have to provide a server running a CA service in the
> Internet?

The resource certification service is solely a hosted platform at the  
moment. It means that you create a Certificate Authority for your  
address space on our system. We take care of all of the crypto  
operations like signing, re-signing, etc. as well as publication of  
certificates and ROAs.

The ability to run your own Certificate Authority on your own systems,  
which interacts with ours, will be introduced later in 2011.

> Somehow I jumped around some sites and reached the following messages
> inside the LIR portal:
>
> "Congratulations! You now have a digital certificate covering your  
> Provider
> Aggregatable (PA) address space."
>
> Well now I'm totally confused. Does that mean, that my resources are
> certified already?

Yes, clicking 'I agree. Certify my resources.' on the Terms and  
Conditions page creates a resource certificate for all of your  
Provider Aggregatable address space. The only thing you have to do now  
is create Route Origin Authorisation specifications, indicating from  
which Autonomous System(s) you will be announcing your prefixes.  
Creation and publication will happen automatically.

After this, anyone will be able to validate if your BGP announcements  
have a valid ROA attached to them, using one of the validation tools:
http://www.ripe.net/certification/validation/

Kind regards,

Alex Band