[ppml] Dean Anderson, 130.105.0.0/16 and the future of the IPv4 Internet.

[David Schwartz]

> ARIN should start issuing certificates for prefixes handed out by
> ARIN.  ARIN should issue those certificates ONLY to recipients
> who have signed an ARIN RSA and only for the prefixes which are
> covered under said RSA.
>
> If secure routing starts using those certificates and becomes popular,
> then, the ability to get a certificate becomes a carrot for legacy
> holders to sign an RSA.

It would only be a matter of time before someone else started issuing
certificates to legacy holders. That's actually not a bad thing.

If they just issue them randomly to anyone who asks for them, no sane person
would honor those certificates. On the other hand, if they do actually do
the legwork to track down these netblocks, they'll be doing a valuable
service.

One possible way that this could somewhat backfire is if large providers
insist on being able to issue their own certificates. If a large number of
legitimate routes are signed by a certificate, you won't be able to refuse
that certificate. This will make getting a certificate to route no more
difficult than getting a large provider to route.

If any large provider says "we're going to sign our blocks with our own
key", it will be awfully hard to tell them no.

DS