On Sun, Jan 30, 2011 at 12:40 PM, Owen DeLong <owen@delong.com> wrote:
Because they publish data you have signed. They don't have the ability to modify the data and then sign that modification as if they were you if they aren't holding the private key. If they are holding the private key, then, you have, in essence, given them power of attorney to administer your network.
If you're OK with that, more power to you. It's not the trust model I would prefer.
I suspect that many users would prefer to trust ARIN with their private keys, if offered that choice. The reasons are simple; adoption will be more wide-spread if RPKI is easier to do; and as we all know, there are an awful lot of BGP networks which are: * on auto-pilot, with no clued in-house staff and no stable relationships with outside clue * driven by people who are somewhere between totally clueless and capable of understanding public-key encryption * driven by over-worked people who simply don't have time for another to-do of any complexity Many users would benefit from the kind of hosted service that is made available by, for example, RIPE. In fact, if they felt they could trust ARIN (or any alternative service which may exist), most of my clients would be perfectly fine with such a service, and I would not advise them to do otherwise without a valid business reason and a belief that equal or superior security would be provided by not using such a hosted service. Since ARIN holds ultimate authority over the ISP's address space anyway, if ARIN's private keys become compromised, whether or not you held onto your own keys will not matter to the rest of the world. If I understand correctly, John has expressed that ARIN's concern is they may be sued if their hosted service fails to perform, and that ordinary contractual language may be unable to limit damages if the reality is that the service-customer has no other choice but to use the ARIN service. This is clearly not a legitimate concern if there is an alternative to such an ARIN hosted service, such as using no hosted service at all, or the possibility of using another one. I don't see how the lack of ARIN providing a hosted service immediately in any way prevents them from doing so in the future. If widespread RPKI adoption doesn't happen and a few more accidental or intentional YouTube black-holes do happen, it seems likely that stakeholders will encourage ARIN to do more, and a hosted service would be an obvious step to increase adoption. As you know, my comfort level with ARIN handling tasks of an operational nature is not high; but if they are going to participate in RPKI in any way, I think they should be capable of performing similarly to RIPE. If not, we should be asking ourselves either 1) why would anyone trust RIPE with their keys; or 2) why is RIPE more trustworthy than ARIN? If the answer to that is RIPE is significantly more competent than ARIN (most folks I know are of this belief) then this discussion should not be about one technical effort. Instead, it should be about how to make ARIN better. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts