nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [arin-announce] ARIN Resource Certification Update

From: Owen DeLong <owen () delong com>
Date: Sun, 30 Jan 2011 09:40:02 -0800

On Jan 30, 2011, at 8:28 AM, sthaug () nethelp no wrote:


- Hosted solutions offer a low barrier entry to smaller organizations
who simply cannot develop their own PKI infrastructure. This is the
case where they also lack the organizational skills to properly manage
the keys themselves, so, in most cases at least, they are *better off*
with a hosted solution


They also offer an attractive target for miscreants with a huge payoff
if they are ever compromised.

...

For RIPE, their hosted solution is clearly meeting expectations within
their region. Other regionĀ“s mileage may vary. I hope we (LACNIC) can
do just as well.


We'll see how people feel after the first time it gets pwn3d.


I am already trusting RIPE with my data - specifically, RIPE publishes
route objects for my prefixes, and my transit providers generate their
prefix lists based on these route objects. I fail to see how a hosted
RPKI solution would make this situation worse.

Steinar Haug, Nethelp consulting, sthaug () nethelp no


Because they publish data you have signed. They don't have the ability
to modify the data and then sign that modification as if they were you if
they aren't holding the private key. If they are holding the private key,
then, you have, in essence, given them power of attorney to administer
your network.

If you're OK with that, more power to you. It's not the trust model I would
prefer.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: