Lightly used IP addresses

William Pitcock nenolod at
Fri Aug 13 18:59:14 UTC 2010

On Fri, 2010-08-13 at 18:49 +0000, Nathan Eisenberg wrote:
> Isn't this a little bit like an SSL daemon?


> One which refuses to process a revocation list on the basis of the
> function of the certificate is useless.

no, it's not.  ssl as a form of identity assurance itself is what is

> The revocation list only has authority if the agent asks for and
> processes it.

most don't do this, because:

- most SSL daemons don't serve the revocation lists;
- most SSL agents don't know how to download the revocation lists from
another source.

see previous note about SSL being worthless for identity assurance.

> Would you use this SSL daemon, knowing that it had this bug? 

i wouldn't care - see above points.

> I would consider a transit provider who subverted an ARIN revocation
> to be disreputable, and seek other sources of transit.

how do you know if the ARIN revocation is proper?  with the IPv4
exhaustion becoming very close to happening now, it is possible that
ARIN could "go rogue."

following a corporation (yes, ARIN is a corporation) as if you were a
sheep will empower them to do precisely this in the future.


More information about the NANOG mailing list