On Feb 1, 2011, at 3:53 PM, Karl Auer wrote:
On Tue, 2011-02-01 at 14:51 -0800, Owen DeLong wrote:
If the RIR is signing the "invalid" ROA, how does one distinguish the invalid from the valid?
In systems where the outputs from a computer system are very, very critical, a sort of "consensus" takes place (I think they did this in some space flights too) - two of three independent systems have to agree that the information is correct before it can be acted upon.
Perhaps there is room at the top level for some such mechanism in RPKI? That is, treat "the top" not as being one RIR, but as a confederation of RIRs, possibly all with the SAME key. If different keys start appearing, the one that comes from the most RIRs is considered correct, and the other(s) as mavericks.
But I'm speaking from a very deep well of ignorance about RPKI.
Indeed... The key is how you identify the signature, essentially. So, if the bodies all share the same key, then, any one of them can sign anything and it is indistinguishable from something signed by the others. What would be needed would be a triple signature with different keys (like bank checks that require more than one signature). However, the usual process for getting something signed through that system would probably be that A does the authentication process and then asks B and C to "witness" their signature. If A has a gun to their head, they're still going to likely be able to get B and C to "witness" that signature, so, you're still in a fix. This really isn't an easy problem to solve. Until it is solved, there are serious questions about RPKI doing more harm than good. Owen