[ppml] ARIN Certificates
Randy Bush
randy at psg.com
Thu Apr 21 20:33:41 EDT 2005
>> to prattle on. the rirs have always said "we do not control
>> routing or routability." with x.509 attested prefix ownership,
>> the certs in the chain do control it. one suggests that any such
>> control be exercised *extremely* lightly, downright minimally.
> Point taken. The certification process should be clearly defined and
> approved by the membership of the RIR I should think.
this has the potential to be a very big bomb. one of the biggest
concerns in the secure routing arena is the abuse of the security
facility to be used as a severe denial of service.
routing is global, not just one rir at a time. the stakeholders
are not just the folk doing address allocation in the isps, but
every prefix-owning entity in the global internet. i.e. the set of
stakeholders is very weakly represented in the rirs, a classic
problem, but one that has to be taken seriously considering the
threat model here.
if the rirs can not be *exceedingly* well trusted to not damage the
routing of the isps, then the simple approach would be for the isps
to just get their certs from a normal commercial (or free) ca.
this may be the wiser course anyway.
randy
More information about the ARIN-PPML
mailing list