[ncc-services-wg] RPKI Resource Certification: building features

Owen DeLong owen at delong.com
Mon Oct 4 09:59:53 UTC 2010


> 
>> I'll go a step further and say that the resource holder should be
>> the ONLY holder of the private key for their resources.
>> 
>> Owen
> 
> If you're saying that ISPs can only participate in an RPKI scheme if they
> run their own Certificate Authority, then I think that would practically
> ruin the chances of Certification actually ever taking off on a large
> scale.
> 
> -Alex

No... I'm saying that if ISPs aren't the only entities that hold their
private keys, then they aren't the only entities that can sign their
resources.

If you choose to delegate the CA role for signing your resources
to someone else, then, obviously, you have to give them a valid
private key with which to sign those resources.

However, in doing that, you've created a situation where your 
signature is now much easier to forge. Kind of like automatic
signing machines for checks. Benefit: The accounting department
can sign thousands of checks and the CFO doesn't have to.
Draw-back... The accounting department can sign thousands of
checks without the CFO knowing they did so.

Owen





More information about the NANOG mailing list