[ppml] ARIN Certificates

Geoff Huston gih at apnic.net
Thu Apr 21 18:19:20 EDT 2005

At 05:02 AM 22/04/2005, Randy Bush wrote:
> >> perhaps having to have a different cert from each rir with which
> >> one deals is not the best solution for the global internet?  is
> >> the nro considering a single cert authority?
> >
> > I think that it would be an admirable goal...but
> >
> > ...There's something to be said for the fact that the 5 RIR's are
> > separate organizations, loosely joined by having comparable policies
> > yet retaining independence.
>hey, i'm just trying to get a usable operational cert, not delve
>into irr, iana, dhs, ... politics.
>e.g., as sbgp rolls out, am i going to have sign my euro prefixes
>with a ripe cert, my asian ...  i think you get it.
> > ...It's not clear to me that the NRO is to have that much of a
> > functional role.  Perhaps the RIRs can someday accept each other's
> > root certificates - that would need some discussion and review.
>then maybe iana should be the root ca

well some considerations of getting this thing done as opposed to talking 
about it says to me that we run with what should work now, which says to me 
that an NRO root cert makes sense in the first instance.

Your point about have a single cert for a single entity with resources from 
multiple RIRs is a good one. Having multiple certificates does not work and 
there is a certain amount of coordination process to ensure that there is 
one entity and one cert attribute.. Of course there are then multiple 
update and potential revocation sources, and I suspect that the entity will 
need to actively consent to such an arrangement beforehand.


More information about the ARIN-PPML mailing list