This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Previous message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Next message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at fastly.com
Fri Sep 10 11:57:54 CEST 2021
On Fri, Sep 10, 2021 at 11:39:39AM +0200, Tim Bruijnzeels wrote: > I think all would agree that transparency is good. > > A key difference between RPKI and most other PKIs is that in the RPKI > all objects are published in the open for all the see. Small nitpick: all objects are SUPPOSED to be published, in the open, for all to see. However it is important to keep in mind we cannot assume all objects were published in a way for all to see. > As you mentioned your RPKI validator may miss intermediate state > changes if it retrieves objects using rsync, but the RRDP protocol > supports deltas, see [1]. > > I believe that transparency can most easily be achieved by ensuring > that these deltas are preserved, and that they cannot be modified. RRDP is an unauthenticated and unsigned protocol. It is possible for a Publication Point to present different RRDP deltas to one RP compared to what they present to another RP. Archiving RRDP deltas is interesting, but IMHO happens too late in the pipeline for TA/CA audit purposes. RRDP is not a replacement for Certificate Transparency, both technologies solve different problems. Kind regards, Job
- Previous message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Next message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]