[ppml] ARIN Certificates

Randy Bush randy at psg.com
Thu Apr 21 20:33:41 EDT 2005

>> to prattle on.  the rirs have always said "we do not control
>> routing or routability."  with x.509 attested prefix ownership,
>> the certs in the chain do control it.  one suggests that any such
>> control be exercised *extremely* lightly, downright minimally.
> Point taken. The certification process should be clearly defined and 
> approved by the membership of the RIR I should think.

this has the potential to be a very big bomb.  one of the biggest
concerns in the secure routing arena is the abuse of the security
facility to be used as a severe denial of service.

routing is global, not just one rir at a time.  the stakeholders
are not just the folk doing address allocation in the isps, but
every prefix-owning entity in the global internet.  i.e. the set of
stakeholders is very weakly represented in the rirs, a classic
problem, but one that has to be taken seriously considering the
threat model here.

if the rirs can not be *exceedingly* well trusted to not damage the
routing of the isps, then the simple approach would be for the isps
to just get their certs from a normal commercial (or free) ca.
this may be the wiser course anyway.


More information about the ARIN-PPML mailing list