nanog mailing list archives
Re: [arin-announce] ARIN Resource Certification Update
From: Owen DeLong <owen () delong com>
Date: Sun, 30 Jan 2011 09:40:02 -0800
On Jan 30, 2011, at 8:28 AM, sthaug () nethelp no wrote:
- Hosted solutions offer a low barrier entry to smaller organizations who simply cannot develop their own PKI infrastructure. This is the case where they also lack the organizational skills to properly manage the keys themselves, so, in most cases at least, they are *better off* with a hosted solutionThey also offer an attractive target for miscreants with a huge payoff if they are ever compromised....For RIPE, their hosted solution is clearly meeting expectations within their region. Other regionĀ“s mileage may vary. I hope we (LACNIC) can do just as well.We'll see how people feel after the first time it gets pwn3d.I am already trusting RIPE with my data - specifically, RIPE publishes route objects for my prefixes, and my transit providers generate their prefix lists based on these route objects. I fail to see how a hosted RPKI solution would make this situation worse. Steinar Haug, Nethelp consulting, sthaug () nethelp no
Because they publish data you have signed. They don't have the ability to modify the data and then sign that modification as if they were you if they aren't holding the private key. If they are holding the private key, then, you have, in essence, given them power of attorney to administer your network. If you're OK with that, more power to you. It's not the trust model I would prefer. Owen
Current thread:
- Re: [arin-announce] ARIN Resource Certification Update, (continued)
- Re: [arin-announce] ARIN Resource Certification Update Joe Abley (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update Roland Dobbins (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update Charles N Wyble (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update Alex Band (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update John Curran (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update Arturo Servin (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update Owen DeLong (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update Carlos Martinez-Cagnazzo (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Owen DeLong (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update sthaug (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Owen DeLong (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Carlos M. Martinez (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Jeff Wheeler (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Alex Band (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Carlos Martinez-Cagnazzo (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Owen DeLong (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Leen Besselink (Jan 30)
- Re: [arin-announce] ARIN Resource Certification Update Mark Andrews (Jan 30)