The LOA type model is one of the ones we showed on slideware when we presented RTA in IETF, and at the CloudFlare RPKI workshop years ago. The detached signature model inherent in RTA and RSC goes to "you define the business logic" It's not proscriptive. I saw nothing proposed here which I thought wasn't a rational thing to try and certify in this manner. The key point is, the "action" you want to approve has to vest in "who controls the stated internet number resources" -If they have no bearing, then its not rational to propose using (R)PKI to do it. some other PKI? sure. Randy is correct that the processes are baroque, not well defined, come with all kinds of corner cases: what does a more specific command (regarding some IP address) if its not signed and the parent is? or, if the more specific is, and the parent isn't?) Randy is also correct that RPKI certificates by design, do not permit their use in ways which go directly to things like identity proofs. detached signatures open the door to doing some things here, because you can sign over something which ways "the person identified by the following public key is to be permitted to ..." And in like sense, we removed the uses which go to message encryption, sender or receiver. You can't directly use an RPKI certificate to do "for your eyes only" -it can only say "the person controlling these numbers, says the following" Obviously, I think this detached signature model is good :-) On Tue, Feb 23, 2021 at 6:31 AM Randy Bush <randy@psg.com> wrote:
What if PeeringDB would be the CA for the Facilities? Supposedly this solves the CA problem of the "Colo Folks".
I think pushing your security identification out (as the notional equinix) to a third party where you can't revoke/change/etc is asking for dangerous things to happen.
there are a few examples of industry associations with simple, strong, and formal ties sufficient to allow forms of trust automation. folk such as karen o'donoghue, lucy lynch, and heather flanagan would be able to speak vastly more knowledgeably in this space than i.
again, that draft is a... draft still and I"m sure we'll have a bunch of chatter/discussion/changes before done, but it smells like it might help.
you might notice that we use it in draft-ietf-opsawg-finding-geofeeds. but that application is specifically to use rpki data to attest to ip address ownership. the problem there is that the draft is a cool proof of concept, but is not operationally easy to use.
randy
--- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header mangling