Re: If you are using APNIC as an RPKI trust anchor, please update your Trust Anchor Set.
APNIC will be switching to a new RPKI 'split' trust anchor system on the 25th of October. This change is needed to align APNIC administered resources with their allocation hierarchy. These resources will also be certified under each responsible parent registry at the appropriate time. ... If you have any questions please contact me.
ok. i'll bite. what the heck is this meant to support? i thought the rirs were moving from five TALs to one. randy, very confused
On 16/10/2012, at 4:15 AM, Randy Bush <randy@psg.com> wrote:
APNIC will be switching to a new RPKI 'split' trust anchor system on the 25th of October. This change is needed to align APNIC administered resources with their allocation hierarchy. These resources will also be certified under each responsible parent registry at the appropriate time. ... If you have any questions please contact me.
ok. i'll bite. what the heck is this meant to support? i thought the rirs were moving from five TALs to one.
randy, very confused
Randy, we have an operational need to separate the existing single TAL into its discrete components for each source, so we can have production certificates for each source, so that we can ultimately have them signed under their appropriate parent registry, Once there is a global trust anchor, you can validate the 5 APNIC operating CA under a single root, single TAL. Until then, an APNIC TAL is necessary. -George
George, On Oct 15, 2012, at 8:44 PM, George Michaelson <ggm@algebras.org> wrote:
Once there is a global trust anchor, you can validate the 5 APNIC operating CA under a single root, single TAL. Until then, an APNIC TAL is necessary.
So, just to be clear, the lack of a single TAL is due to inaction on the part of ICANN? Thanks, -drc
On 16/10/2012, at 11:09 AM, David Conrad <drc@virtualized.org> wrote:
George,
On Oct 15, 2012, at 8:44 PM, George Michaelson <ggm@algebras.org> wrote:
Once there is a global trust anchor, you can validate the 5 APNIC operating CA under a single root, single TAL. Until then, an APNIC TAL is necessary.
So, just to be clear, the lack of a single TAL is due to inaction on the part of ICANN?
Thanks, -drc
No David, no implication was intended that this is due to inaction on the part of ICANN. Sometimes, these things just take time. cheers -George
ok. i'll bite. what the heck is this meant to support? i thought the rirs were moving from five TALs to one.
Randy, we have an operational need to separate the existing single TAL into its discrete components for each source, so we can have production certificates for each source, so that we can ultimately have them signed under their appropriate parent registry,
ok, i'll give. what are the five 'sources'? randy
Perhaps the following? AfriNIC ARIN APNIC LACNIC RIPE Regards, Jay On 16/10/2012, at 1:18 PM, Randy Bush <randy@psg.com> wrote:
ok. i'll bite. what the heck is this meant to support? i thought the rirs were moving from five TALs to one.
Randy, we have an operational need to separate the existing single TAL into its discrete components for each source, so we can have production certificates for each source, so that we can ultimately have them signed under their appropriate parent registry,
ok, i'll give. what are the five 'sources'?
randy
participants (5)
-
David Conrad -
George Michaelson -
George Michaelson -
Jay Mitchell -
Randy Bush