[arin-announce] ARIN Resource Certification Update

Owen DeLong owen at delong.com
Sun Jan 30 15:00:00 UTC 2011


On Jan 30, 2011, at 5:57 AM, Carlos Martinez-Cagnazzo wrote:

> What I just don´t get if, we as a society, have created institutions
> we trust with our *money* (AKA banks), why there can´t be institutions
> we trust with our crypto keys. I know that banks sometimes fail, and
> yes, probably "crypto banks" will sometimes fail as well, but on the
> whole, the failure rate of trusted institutions can be quite low,
> acceptably low.
> 
Banks are not an all or nothing proposition. Only a fool trusts a single
bank with all of his money.

On the other hand, your private key, short of a complicated key escrow
environment like the one employed by ICANN for the root key for DNSSEC
is an all-or-nothing proposition. EIther you completely trust the other
organization, or you don't.

Further, when we trust banks with our money, we trust them to hold it,
but, we have separate verifiable documentation of how much they are
holding for us and they are accountable to return the money to us upon
demand.

In the case of a private key, it's not money you hand over, it is your very
identity in the digital universe. It would be akin to handing your passport
to your banker and giving him the ability to replace your picture with his
own and then use that passport in whatever manner he sees fit.

> IMO the whole thing seems to boil down to the complex interaction of
> psychological, emotional and other aspects of how we perceive a
> certain situation. And it clearly depends on the region, just look at
> RIPE´s column and how it grows relentlessly (i included only a few
> lines, full stats can be found in the URL posted by Arturo in an
> earlier post)
> 
Yes, it is cultural and regional. Yes, it is partially a matter of psychology.

> R2a. IPv4 Space Covered by ROAs (in units of /24s)
> ----
> 
> date       |    lacnic|     apnic|   afrinic|      arin|      ripe|
> 2011-01-11 |        17|       189|         1|         0|     28902|
> 2011-01-12 |        17|       189|         1|   1867.03|     32439|
> 2011-01-13 |        17|      None|         1|   1867.03|     32810|
> 2011-01-14 |        17|       181|         1|   1867.03|     32819|
> 2011-01-15 |        17|       181|         1|   1867.03|     32875|
> 2011-01-16 |        17|       181|         1|   1867.03|     32875|
> 2011-01-17 |        17|       181|         1|        20|     32903|
> 2011-01-18 |        17|       181|         2|      None|     33783|
> 2011-01-19 |        17|       177|         2|      None|     35271|
> 
> Hats off to RIPE People!
> 
We'll see. I have no doubt that if ARIN implemented RPKI the way
RIPE has, we'd see similar numbers. However, that doesn't tell
the whole story and there are differences in the legal framework
under which RIPE operates vs. ARIN that also present unique
challenges for ARIN doing things that way.

I'm not convinced that what RIPE is doing is completely in the
community interest. I think holding that many organization's
private keys in trust in a single central repository is somewhat
irresponsible and short sighted. Yes, it creates a near-term
benefit and accelerates deployment of RPKI. However, it
also has risks which don't show up in your table.

Owen





More information about the NANOG mailing list