BGP Security and PKI Hierarchies (was: Re: Wifi Security)

• Previous message (by thread): BGP Security and PKI Hierarchies (was: Re: Wifi Security)
• Next message (by thread): BGP Security and PKI Hierarchies (was: Re: Wifi Security)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>in operation, this means that there could be isp- (or ufo-)centric
>isp identity certification (a la web of trust, for example) which
>could have a very separate cert chain from that of address space
>allocation, which, aside from the legacy issue, could come via the
>rirs.

So when one receives an update, which part is it that you verify with
the certificate derived from the RIR chain and which part is it that you
verify with the certificate derived from the web-of-trust?  I'm guessing
the answer in part is that there's a signature attesting to the
prefix origination based on the RIR-rooted certificate, but I'm not
certain what you are suggesting you would sign with the web-of-trust
based ISP identity certificate (the origination announcement, indicating
that it is not only authorization to originate but also source
authentication?)

If the RIR-rooted certificate says that ISP XYZ is allocated prefix P,
does the web-of-trust ISP identify certificate have to say exactly
"ISP XYZ"?  Is that exact match the link between what the RIR-rooted
cert is proving and what the web-of-trust identify cert is proving?

--Sandy

• Previous message (by thread): BGP Security and PKI Hierarchies (was: Re: Wifi Security)
• Next message (by thread): BGP Security and PKI Hierarchies (was: Re: Wifi Security)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]