[dbwg] X.509 Extensions for IP Addresses and AS Identifiers

Paul Wilson pwilson at apnic.net
Sun Apr 13 20:05:11 EDT 2003 

We at APNIC believe that there is a fundamental problem with this draft,
namely that it attempts to associate Internet resources with public key (ie
identity) certificates, as if those resources are fundamentally bound to the
holder of the certificate.  This problem is reflected in the language of the
document, which refers in many places to "ownership" of IP addresses and
ASNs.

On the contrary, Internet resources are allocated on a lease/license basis
which is asynchronous with creation or renewal of public key certs (under
normal circumstances at least).  Under this draft, the recipient of
resources issued over time by an RIR would need to (a) maintain a whole set
of X.509 certs (one for each resource allocation) and receive an additional
public key cert with each new resource allocation; or (b) maintain a single
or smaller set of certs carrying all of their resource allocations, in which
case they would be subject to repeated certificate revokation and reissue
each time they received a new allocation.

We believe that the proposed extensions are better suited to Attribute
Certificates, which are purpose-built for exactly this type of application.
Of course, both sets of extensions could be approved and used, with the
disadvantage of having two "competing" ways of representing resource
allocations.  

Paul Wilson
APNIC.




> -----Original Message-----
> From: dbwg-request at arin.net [mailto:dbwg-request at arin.net] On 
> Behalf Of Larry J. Blunk
> Sent: Saturday, 12 April 2003 1:25 AM
> To: dbwg at arin.net
> Subject: [dbwg] X.509 Extensions for IP Addresses and AS Identifiers
> 
> 
> 
>     There's an Internet Draft available from BBN Technologies 
> which describes extensions to X.509 certificicates to 
> incorporate IP and AS allocation information.  See --
> 
http://www.net-tech.bbn.com/sbgp/draft-ietf-pkix-x509-ipaddr-as-extn-00.txt

    This draft was produced as part of the Secure BGP project. Is there any
consideration being given to supporting these extensions in ARIN's
implementation of X.509?


  Regards,
   Larry Blunk
   Merit

More information about the Dbwg mailing list