[routing-wg] Re: [ncc-services-wg] RPKI Resource Certification: building features

On Mon, October 4, 2010 04:38, Owen DeLong wrote:
>
> On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>
>>> Do you think there is value in creating a system like this?
>>
>> yes.  though, given issues of errors and deliberate falsifications, i am
>> not entirely comfortable with the whois/bgp combo being considered
>> formally authoritative.  but we have to do something.

But blindly considering whois/BGP authoritative is not what I am
proposing. I want to confront the network operator with what is registered
in the IRR and what is seen in BGP, and let the human element make
decisions and corrections, improving data quality in the process.

>>> Are there any glaring holes that I missed
>>
>> yes.  the operator should be able to hold the private key to their
>> certificate(s) or the meaning of 'private key' and the security
>> structure of the [ripe part of the] rpki is a broken.
>>
>> randy

In the hosted implementation the RIPE NCC currently has, only a registered
contact for an LIR with whom we have a business relationship has access to
the secured LIR Portal in which the Certification system is embedded.

The reason to offer a hosted system initially, is to take away the burden
from an LIR of having to run their own Certificate Authority. We offer a
service that makes the entry barrier for Certification as low as possible.
Properly running your own CA, with all the crypto aspects, is no small
feat for a lot of LIRs (technically, but perhaps more psychologically).
You may argue that it's easy and cheap to do yourself, but just look at
adoption rates and levels of IPv6 and DNSSEC *at an LIR level* to see what
reality is like.

After the production launch on 1 January 2011, the next step we will take
is to implement the up/down protocol, allowing people to run their own
Certificate Authority if they choose to do so. We plan to roll this out in
the first half of 2011. We'll go one step further by having our software
certified by an external independent company, and releasing it as open
source to the Community, so they can be sure they adopt a robust system if
they choose our package.

So in the end our implementation is not 'broken' as you say, it is in he
middle of a planned, phased approach. Not everything is possible yet and
that is a deliberate decision.

> I'll go a step further and say that the resource holder should be
> the ONLY holder of the private key for their resources.
>
> Owen

If you're saying that ISPs can only participate in an RPKI scheme if they
run their own Certificate Authority, then I think that would practically
ruin the chances of Certification actually ever taking off on a large
scale.

-Alex