This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Previous message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Next message (by thread): [routing-wg] A Changing User Interface for rpki-validator.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at fastly.com
Mon Sep 20 16:00:08 CEST 2021
Hi all, Someone asked me off-list whether I had in mind to track all ROAs (they were concerned about scaling) or something else? A great question! I see as goal for Certificate Transparency in context of the RPKI is to track (in an immutable log) the delegations of authority as certified by the the RIRs and NIRs. The value of specifically tracking the resource delegations is twofold: A) Resource holders can monitor whether they (accidentally) lost any entitlements to any of their resources (aka, a "cryptographic service outage" from the perspective of the resource holder) B) Resource holders can monitor whether some other entity (accidentally) received entitlements to specific resources. (aka, the INR holder being at risk of a "cryptographic hijack") To have adequate and complete insight into the activities of the cryptopgrahic engine at RIPE NCC (and places like ARIN, LACNIC, NIC.MX, NIC.BR, etc), the Certificate Transparency principles only need to be applied to the "Production CA" (using RIPE-751 lingo), not to the subordinate products of Hosted CAs (such as ROAs), or Delegated CAs. Tracking the issuance of RPKI ".cer" files is in the order of "tens of thousands", with a growth curve which potentially maps to RIR membership growth/consolidation. These are low numbers. The RPKI numbers are a fraction of what "WebPKI" Logs and Auditors observe, which is good news, it means we can use small servers! :-) What to track and what not to track is up for discussion! Certificate Transparency for RPKI does not yet exist. Kind regards, Job
- Previous message (by thread): [routing-wg] request for feedback: a RPKI Certificate Transparency project?
- Next message (by thread): [routing-wg] A Changing User Interface for rpki-validator.ripe.net
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]