RPKI chain of trust
Good morning everyone, I have a doubt about RPKI chain of trust. The 5 RIRs hold a self-signed root certificate for all the resources they have in the registry. The root certificate is used to sign the LIR's certificates that lists LIR's resources. LIRs use their private key to sign ROAs. LIR's public key is used to verify ROAs signatures and RIRs public key is used to verify LIR's signatures. Is this correct? Thanks in advance, Fabiano
Perhaps this clarifies things: https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-res... As well as this section: https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html Cheers, Alex
On 26 Aug 2020, at 10:25, Fabiano D'Agostino <fabiano.dagostino96@gmail.com> wrote:
Good morning everyone, I have a doubt about RPKI chain of trust. The 5 RIRs hold a self-signed root certificate for all the resources they have in the registry. The root certificate is used to sign the LIR's certificates that lists LIR's resources. LIRs use their private key to sign ROAs. LIR's public key is used to verify ROAs signatures and RIRs public key is used to verify LIR's signatures.
Is this correct?
Thanks in advance,
Fabiano
Hi Alex, thank you. I read that documentation and I was reading this one from page 201: https://www.ripe.net/support/training/material/bgp-operations-and-security-t... It seems that RIRs have a self-signed root certificate. They use this certificate to sign LIR's certificates and LIR's private key is used to sign ROAs. I am not very sure about the use of public keys. Fabiano Il giorno mer 26 ago 2020 alle ore 10:39 Alex Band <alex@nlnetlabs.nl> ha scritto:
Perhaps this clarifies things:
https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-res...
As well as this section:
https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html
Cheers,
Alex
On 26 Aug 2020, at 10:25, Fabiano D'Agostino < fabiano.dagostino96@gmail.com> wrote:
Good morning everyone, I have a doubt about RPKI chain of trust. The 5 RIRs hold a self-signed root certificate for all the resources they have in the registry. The root certificate is used to sign the LIR's certificates that lists LIR's resources. LIRs use their private key to sign ROAs. LIR's public key is used to verify ROAs signatures and RIRs public key is used to verify LIR's signatures.
Is this correct?
Thanks in advance,
Fabiano
Hi Fabiano,
On 26 Aug 2020, at 11:03, Fabiano D'Agostino <fabiano.dagostino96@gmail.com> wrote:
Hi Alex, thank you. I read that documentation and I was reading this one from page 201: https://www.ripe.net/support/training/material/bgp-operations-and-security-t...
It seems that RIRs have a self-signed root certificate. They use this certificate to sign LIR's certificates and LIR's private key is used to sign ROAs. I am not very sure about the use of public keys.
The “LIR”’s public key is on the certificate signed by the RIR and that makes the chain. -Alex
participants (2)
-
Alex Band
-
Fabiano D'Agostino