[ppml] ARIN Certificates

Randy Bush randy at psg.com
Thu Apr 21 19:04:42 EDT 2005

> well some considerations of getting this thing done as opposed to talking 
> about it says to me that we run with what should work now, which says to me 
> that an NRO root cert makes sense in the first instance.

i suspect that isps will be signing requests for number space, for
domain names, to attest to bgp announcements, ...  within the isp,
one will have the isp's cert signing certs for these many different
roles.  it would be cool if the isp needed only one isp cert to be
able to use it to sign the certs for all the roles.  at the moment,
the iana is the only place where all these roles converge.

otoh, i do understand your frustration at even contemplating what
it would take to get the iana to understand the job and to actually
be able to execute it with useful rigor and alacrity.

> Having multiple certificates does not work and there is a certain
> amount of coordination process to ensure that there is one entity
> and one cert attribute.. Of course there are then multiple update
> and potential revocation sources, and I suspect that the entity
> will need to actively consent to such an arrangement beforehand.

i don't think that i, for one, will be inclined to agree to having
any rir, nro, ... revoke my cert for any reason other than my
specifically requesting it in an extremely well authenticated

   "dear customer: we can no longer announce your prefix because
    apnic has revoked our certificate due to a billing problem and
    our bgp neighbors will no longer accept our sbgp announcements.
    of course, you may not get this email, so what the heck."

not a chance in hell.  a cert is your certifying my identity, not
my membership or billing status.

somewhat analogously, if an rir has an expire on an address prefix
cert which is linked to rir billing cycles, then, in the sbgp
world, it sure looks very clearly like rental of address space, not
a business or legal place i suspect that rirs, isps, or any parts
of the community want to go.


More information about the ARIN-PPML mailing list