[ppml] ARIN Certificates
Geoff Huston
gih at apnic.net
Thu Apr 21 18:19:20 EDT 2005
At 05:02 AM 22/04/2005, Randy Bush wrote:
> >> perhaps having to have a different cert from each rir with which
> >> one deals is not the best solution for the global internet? is
> >> the nro considering a single cert authority?
> >
> > I think that it would be an admirable goal...but
> >
> > ...There's something to be said for the fact that the 5 RIR's are
> > separate organizations, loosely joined by having comparable policies
> > yet retaining independence.
>
>hey, i'm just trying to get a usable operational cert, not delve
>into irr, iana, dhs, ... politics.
>
>e.g., as sbgp rolls out, am i going to have sign my euro prefixes
>with a ripe cert, my asian ... i think you get it.
>
> > ...It's not clear to me that the NRO is to have that much of a
> > functional role. Perhaps the RIRs can someday accept each other's
> > root certificates - that would need some discussion and review.
>
>then maybe iana should be the root ca
well some considerations of getting this thing done as opposed to talking
about it says to me that we run with what should work now, which says to me
that an NRO root cert makes sense in the first instance.
Your point about have a single cert for a single entity with resources from
multiple RIRs is a good one. Having multiple certificates does not work and
there is a certain amount of coordination process to ensure that there is
one entity and one cert attribute.. Of course there are then multiple
update and potential revocation sources, and I suspect that the entity will
need to actively consent to such an arrangement beforehand.
Geoff
More information about the ARIN-PPML
mailing list