[ppml] Dean Anderson, 130.105.0.0/16 and the future of the IPv4 Internet.

[Owen DeLong]

On Jul 24, 2007, at 11:27 AM, David Schwartz wrote:

>
>> ARIN should start issuing certificates for prefixes handed out by
>> ARIN.  ARIN should issue those certificates ONLY to recipients
>> who have signed an ARIN RSA and only for the prefixes which are
>> covered under said RSA.
>>
>> If secure routing starts using those certificates and becomes  
>> popular,
>> then, the ability to get a certificate becomes a carrot for legacy
>> holders to sign an RSA.
>
> It would only be a matter of time before someone else started issuing
> certificates to legacy holders. That's actually not a bad thing.
>
> If they just issue them randomly to anyone who asks for them, no  
> sane person
> would honor those certificates. On the other hand, if they do  
> actually do
> the legwork to track down these netblocks, they'll be doing a valuable
> service.
>
> One possible way that this could somewhat backfire is if large  
> providers
> insist on being able to issue their own certificates. If a large  
> number of
> legitimate routes are signed by a certificate, you won't be able to  
> refuse
> that certificate. This will make getting a certificate to route no  
> more
> difficult than getting a large provider to route.
>
> If any large provider says "we're going to sign our blocks with our  
> own
> key", it will be awfully hard to tell them no.
>
> DS
>

Actuallly, the simple solution to that is that certificates are  
already designed
to be hierarchical, so, the ISP should be faced with the ability to  
use their
ARIN issued certificate to sign subordinate blocks.

Owen