[arin-announce] ARIN Resource Certification Update

Carlos Martinez-Cagnazzo carlos at lacnic.net
Sun Jan 30 10:25:53 CST 2011

I see also that many concerns expressed here are extensions of the
perceived failures of the whole CA business. I agree that the whole
model of CAs has largely failed. Not only there are too many of them,
but the fact that they try to operate as for-profits makes them
vulnerable to all the pressures that come with the need to sell and
generate revenue.

The spectacular failures they have suffered in the past (certificates
with Microsoft's name on them, I guess everyone remembers) have
certainly not helped.

Basically the only thing you now get from using SSL certs is
end-to-end encryption, and for that, a self-signed certificate does
just as well as a thousand dollar one from your preferred friendly CA.

However, as I said on an earlier post, I still believe that the hosted
solution for RPKI is a good one at this point in time for a certain
group of users of a certain application. It is *very* vertical, or
niche if you want. We should not try to extend it to other
applications or other groups of users.

Randy sums up my whole feelings on the issue. I also think we need
top-down soon, and I wouldn't mind in the future seeing a nice Paretto
distribution where 80% of members use the hosted solution, but account
for 20% of routed space, where 20% customers use top-down accounting
for 80% of routed space.

Perfection is the enemy of good. Before hosted RPKI the only way of
checking origin-as information was to use one of the public routing
registries. A routing registry which is fed from RPKI data is a lot
more trustworthy than plain email auth IRRs are. Is it pefect? Of
course not. Can it be improved? Of course it can.



More information about the NANOG mailing list