On Tue, 24 Apr 2007, Sean Donelan wrote:
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like:
1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites)
This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that:
157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better.
yes, but: 1) there is no discussion of certs+bgp 2) they need to cleanup/tightenup anyway, adding some helpful (to operators) bits is a nice thing, yes?
The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me".
Is it really that easy? I recall a few people having LOTS of trouble getting their address block information changed so it was once again usable... I know we had some headaches getting our information switched around to reflect corporate changes.
An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
yes, but the math makes, hopefully. the checking simpler... and it's a better system than exists today at many places where 'if you put yer object in the IRR we'll accept it!' (see ConEd incident of 2 years back for one example). Without any programmatic checking of this data the only thing accomplished with use of an IRR is to increase the speed with which you can change prefix-list data :( there is no check for accuracy nor authority. -Chris