[ncc-services-wg] Implementation of Resource Certification (RPKI) for PI End User Resources

Hi,

On Wed, Oct 23, 2013 at 05:00:08PM +0800, Nick Hilliard wrote:
> there's no way of necessarily knowing that the contact info in the ripe
> database is correct, even if the resources are correctly registered to the
> legal person described in the organisation object.  This means that the
> RIPE NCC has no real way of knowing if J. Random end user is the correct
> contact for the PI resource, which means that it needs to devolve the
> initial stage of this authorisation to the sponsoring LIR.  This probably
> sucks.

OTOH, for RPKI, do we really need to know *who* the user is?

If - as Alex proposes - the system checks "is there an approved contactual
relationship for the resource in question, *and* does the user have the
necessary credentials to satisfy the mnt-routes: criteria for the object?",
the ability to create ROAs would correspond to the ability to create route:
objects - and since RPKI isn't certifying identity, but "this person is
authorized to authorize routing for the resource", this sounds workable
for me.

The bit "show me your credentials" is going to be interesting for PGP,
but can be done ("show nonce, ask for signature on it, copy back to
text field")...

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </ripe/mail/archives/ncc-services-wg/attachments/20131023/b0fb0aa6/attachment.sig>