[arin-announce] ARIN Resource Certification Update

• Previous message (by thread): [arin-announce] ARIN Resource Certification Update
• Next message (by thread): [arin-announce] ARIN Resource Certification Update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 30, 2011, at 8:28 AM, sthaug at nethelp.no wrote:

>>> - Hosted solutions offer a low barrier entry to smaller organizations
>>> who simply cannot develop their own PKI infrastructure. This is the
>>> case where they also lack the organizational skills to properly manage
>>> the keys themselves, so, in most cases at least, they are *better off*
>>> with a hosted solution
>>> 
>> They also offer an attractive target for miscreants with a huge payoff
>> if they are ever compromised.
> ...
>>> For RIPE, their hosted solution is clearly meeting expectations within
>>> their region. Other region´s mileage may vary. I hope we (LACNIC) can
>>> do just as well.
>>> 
>> We'll see how people feel after the first time it gets pwn3d.
> 
> I am already trusting RIPE with my data - specifically, RIPE publishes
> route objects for my prefixes, and my transit providers generate their
> prefix lists based on these route objects. I fail to see how a hosted
> RPKI solution would make this situation worse.
> 
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no

Because they publish data you have signed. They don't have the ability
to modify the data and then sign that modification as if they were you if
they aren't holding the private key. If they are holding the private key,
then, you have, in essence, given them power of attorney to administer
your network.

If you're OK with that, more power to you. It's not the trust model I would
prefer.

Owen

• Previous message (by thread): [arin-announce] ARIN Resource Certification Update
• Next message (by thread): [arin-announce] ARIN Resource Certification Update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]