On Jan 30, 2011, at 8:28 AM, sthaug@nethelp.no wrote:
- Hosted solutions offer a low barrier entry to smaller organizations who simply cannot develop their own PKI infrastructure. This is the case where they also lack the organizational skills to properly manage the keys themselves, so, in most cases at least, they are *better off* with a hosted solution
They also offer an attractive target for miscreants with a huge payoff if they are ever compromised. ...
For RIPE, their hosted solution is clearly meeting expectations within their region. Other regionĀ“s mileage may vary. I hope we (LACNIC) can do just as well.
We'll see how people feel after the first time it gets pwn3d.
I am already trusting RIPE with my data - specifically, RIPE publishes route objects for my prefixes, and my transit providers generate their prefix lists based on these route objects. I fail to see how a hosted RPKI solution would make this situation worse.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Because they publish data you have signed. They don't have the ability to modify the data and then sign that modification as if they were you if they aren't holding the private key. If they are holding the private key, then, you have, in essence, given them power of attorney to administer your network. If you're OK with that, more power to you. It's not the trust model I would prefer. Owen