On 31 Jan 2011, at 04:25, Paul Vixie wrote:
the reasoning you're describing is what we had in mind when we built DLV
as an early deployment aid for DNSSEC. we had to break stiction where
if there were no validators there would be incentive to sign, and if
there were no signatures there
Paul,
I think my question is very pertinent. Of course the number of signed prefixes
directly influences the number of validators. Do you think the RIPE NCC
Validator tool would have been downloaded over 100 times in the last month if
there were only 5 certified prefixes?
In my opinion, the
What I just don´t get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can´t be institutions
we trust with our crypto keys. I know that banks sometimes fail, and
yes, probably crypto banks will sometimes fail as well, but on the
whole, the failure
message:
From: John Curran jcur...@arin.netmailto:jcur...@arin.net
Date: January 24, 2011 2:58:52 PM EST
To: arin-annou...@arin.netmailto:arin-annou...@arin.net
arin-annou...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its
On Jan 30, 2011, at 5:57 AM, Carlos Martinez-Cagnazzo wrote:
What I just don´t get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can´t be institutions
we trust with our crypto keys. I know that banks sometimes fail, and
yes, probably crypto
Hello Carlos,
On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
What I just don´t get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can´t be institutions
we trust with our crypto keys. I know that banks sometimes fail, and
yes, probably
...@arin.net
arin-annou...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its preparations for offering production-grade resource
certification
services for Internet number resources in the region. ARIN recognizes
the importance
On Sun, 30 Jan 2011 11:57:57 -0200, Carlos Martinez-Cagnazzo said:
What I just don't get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can't be institutions
we trust with our crypto keys. I know that banks sometimes fail, and
yes, probably
hi alex,
just to be clear
i think your web-based system is a good thing. 97.3% of your members do
not want to go through the effort of installing certifying software and
doing up/down with you. i am not fond of you holding folk's private
keys, but that's what they get for laziness. of course
There's a big difference. If a bank screws up and loses $5,000 of my
money, I
can (at least potentially) sue them and recover $5,000 which is pretty much
identical to the $5,000 I lost. If a key escrow company loses my private
key,
getting back an identical private key is exactly the
I see also that many concerns expressed here are extensions of the
perceived failures of the whole CA business. I agree that the whole
model of CAs has largely failed. Not only there are too many of them,
but the fact that they try to operate as for-profits makes them
vulnerable to all the
- Hosted solutions offer a low barrier entry to smaller organizations
who simply cannot develop their own PKI infrastructure. This is the
case where they also lack the organizational skills to properly manage
the keys themselves, so, in most cases at least, they are *better off*
with a
On Jan 30, 2011, at 8:28 AM, sth...@nethelp.no wrote:
- Hosted solutions offer a low barrier entry to smaller organizations
who simply cannot develop their own PKI infrastructure. This is the
case where they also lack the organizational skills to properly manage
the keys themselves, so, in
Hey!
Steinar Haug, Nethelp consulting, sth...@nethelp.no
Because they publish data you have signed. They don't have the ability
to modify the data and then sign that modification as if they were you if
they aren't holding the private key. If they are holding the private key,
then, you have,
In message 4d457f0e.7070...@consolejunkie.net, Leen Besselink writes:
Hello Carlos,
On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
What I just don´t get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can´t be institutions
we
On Sun, Jan 30, 2011 at 12:40 PM, Owen DeLong o...@delong.com wrote:
Because they publish data you have signed. They don't have the ability
to modify the data and then sign that modification as if they were you if
they aren't holding the private key. If they are holding the private key,
then,
From: Alex Band al...@ripe.net
Date: Sun, 30 Jan 2011 11:39:36 +0100
I think my question is very pertinent. Of course the number of signed
prefixes directly influences the number of validators. Do you think
the RIPE NCC Validator tool would have been downloaded over 100 times
in the last
: John Curran jcur...@arin.netmailto:jcur...@arin.net
Date: January 24, 2011 2:58:52 PM EST
To: arin-annou...@arin.netmailto:arin-annou...@arin.net
arin-annou...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its preparations
On Jan 29, 2011, at 10:26 AM, Alex Band wrote:
John,
Thanks for the update. With regards to offering a hosted solution, as you
know that is the only thing the RIPE NCC currently offers. We're developing
support for the up/down protocol as I write this.
Alex - Yes, congrats on rolling out
-annou...@arin.netmailto:arin-annou...@arin.net
arin-annou...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its preparations for offering production-grade resource
certification
services for Internet number resources
From: Alex Band al...@ripe.net
Date: Sat, 29 Jan 2011 16:26:55 +0100
... So the question is, if the RIPE NCC would have required everyone
to run their own certification setup using the open source tool-sets
Randy mentions, would there be this much certified address space now?
i don't agree
...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its preparations for offering production-grade resource
certification
services for Internet number resources in the region. ARIN recognizes the
importance
of Internet number resource
[moderation seems slow; resending from subscribed address instead]
On Mon, 24 Jan 2011, Danny McPherson wrote:
I suspect I've sufficiently chummed the waters, I'll kick back and absorb
all the reasons this is a whack idea :)
Short summary: it's not entirely whack, but no one has yet put
Sorry to be Johnny-come-lately to this...
On 1/24/11 6:31 PM, Randy Bush ra...@psg.com wrote:
Right, I've heard the circular dependency arguments. So, are you
suggesting the RPKI isn't going to rely on DNS at all?
correct. it need not.
Maybe I am misunderstand something here... Are
On 1/25/11 7:04 AM, Roland Dobbins rdobb...@arbor.net wrote:
On Jan 25, 2011, at 9:52 PM, Joe Abley wrote:
If the DNS was as unreliable as those words suggested, nobody would use it.
I see evidence of this unreliability every day, so I must respectfully
disagree.
;
The
On 1/27/2011 7:51 PM, Osterweil, Eric wrote:
I think the bottom line is that this infrastructure will allow a security
solution to reach deployment_much_ sooner than a green-field design.
Errr, yeah. See IPv6 deployment.
Jack
Why does this stop the whole thing short?
the devil is in the details and the trust. i am desperately open to
other approaches. but work it out at the detailed level, not just a
troll on nanog. i anxiously await your and danny's draft.
randy
On Jan 25, 2011, at 9:52 PM, Joe Abley wrote:
If the DNS was as unreliable as those words suggested, nobody would use it.
I see evidence of this unreliability every day, so I must respectfully disagree.
;
The reality is that everybody uses it.
The reality is that they don't really have a
On 1/24/2011 8:52 PM, Roland Dobbins wrote:
On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote:
thinking of using DNS is tempting
The main arguments I see against it are:
2. The generally creaky, fragile, brittle, non-scalable state of the
overall DNS infrastructure in general.
...@arin.netmailto:arin-annou...@arin.net
Subject: [arin-announce] ARIN Resource Certification Update
ARIN continues its preparations for offering production-grade resource
certification
services for Internet number resources in the region. ARIN recognizes the
importance
of Internet number resource
thanks john. your consideration to the ops community is appreciated.
ARIN continues its preparations for offering production-grade resource
certification services for Internet number resources in the region.
ARIN recognizes the importance of Internet number resource
certification in the
On Jan 24, 2011, at 7:16 PM, Randy Bush wrote:
i understand fearing holding others' private keys and critical data. no
blame there.
separate subject
but out of curiousity, how reality based are arin's general liability
fears? in the last few years, how many times has arin been a named
Beginning to wonder why, with work like DANE and certificates in DNS
in the IETF, we need an RPKI and new hierarchical shared dependency
system at all and can't just place ROAs in in-addr.arpa zone files
that are DNSSEC-enabled.
let's wind the wayback machine to 1998
On Jan 24, 2011, at 8:32 PM, Randy Bush wrote:
let's wind the wayback machine to 1998
http://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00
Yep, read that way back when it was posted initially, and again
a short while back, makes good sense, methinks.
And now that DNSSEC is
And now that DNSSEC is deployed
and you are not sharing what you are smoking
and DANE is happening
see above
randy
On Jan 24, 2011, at 8:48 PM, Randy Bush wrote:
And now that DNSSEC is deployed
and you are not sharing what you are smoking
root and .arpa are signed, well on the way, particularly relative
to RPKI.
Incremental cost of signing in-addr.arpa using a deployed DNS
system as opposed to
On 2011-01-24, at 20:24, Danny McPherson wrote:
separate subject
Beginning to wonder why, with work like DANE and certificates in DNS
in the IETF, we need an RPKI and new hierarchical shared dependency
system at all and can't just place ROAs in in-addr.arpa zone files that are
On 2011-01-24, at 20:59, Danny McPherson wrote:
On Jan 24, 2011, at 8:48 PM, Randy Bush wrote:
And now that DNSSEC is deployed
and you are not sharing what you are smoking
root and .arpa are signed, well on the way, particularly relative
to RPKI.
Incremental cost of signing
On Jan 25, 2011, at 8:59 AM, Danny McPherson wrote:
I just don't like the notion of deploying a brand new system with data that
at the end of the day is going to look an awful lot like the existing
in-addr.arpa delegation system that's deployed, and introduce new
hierarchical shared
I just don't like the notion of deploying a brand new system
you want certificates etc? or did you plan to reuse dns keys?
if the former, than all you are discussing is changing the transport to
make routing security rely on dns and dns security. not a really great
plan.
if the latter, then
On Jan 24, 2011, at 9:02 PM, Joe Abley wrote:
In this case the DNS delegations go directly from RIR to C; there's no
opportunity for A or B to sign intermediate zones, and hence no opportunity
for them to indicate the legitimacy of the allocation.
As a thought experiment, how would you
It's in-band only in the sense of delivery. The worst that a
corruption of the underlying network can do to you is deny you
updates; it can't convince you that a route validates when it
shouldn't. And even denying updates to your RPKI cache isn't that
bad, since the update process doesn't really
On Mon, Jan 24, 2011 at 9:16 PM, Danny McPherson da...@tcb.net wrote:
On Jan 24, 2011, at 9:02 PM, Joe Abley wrote:
In this case the DNS delegations go directly from RIR to C; there's no
opportunity for A or B to sign intermediate zones, and hence no opportunity
for them to indicate the
On Jan 24, 2011, at 9:14 PM, Randy Bush wrote:
you want certificates etc? or did you plan to reuse dns keys?
I suspect the former, reusing much of the SIDR machinery
perhaps, although
if the former, than all you are discussing is changing the transport to
make routing security rely
On Jan 25, 2011, at 9:24 AM, Danny McPherson wrote:
So, are you suggesting the RPKI isn't going to rely on DNS at all?
In terms of organic, real-time route validation performed by routers - which it
is assumed is an ultimate goal of rPKI, at some point in the future - one
should hope this
On Jan 25, 2011, at 9:31 AM, Randy Bush wrote:
the folk who sign dns zones are not even in the same building as the folk who
deal with address space.
I think the idea is to effectuate de-siloing in this space to the point that
the DNS folks would make the appropriate delegations to the
the folk who sign dns zones are not even in the same building as the
folk who deal with address space.
I think the idea is to effectuate de-siloing in this space to the
point that the DNS folks would make the appropriate delegations to the
addressing folks, who would then proceed to
On Jan 24, 2011, at 9:21 PM, Richard Barnes wrote:
The more you have to invent, though, the more this sounds like a
bike-shed discussion.
s/DNSSEC/X.509/g
s/delegating reverse prefix zone/signing RPKI delegation certificate/g
The difference is that we don't have an operational RPKI system,
On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley jab...@hopcount.ca wrote:
On 2011-01-24, at 20:24, Danny McPherson wrote:
separate subject
Beginning to wonder why, with work like DANE and certificates in DNS
in the IETF, we need an RPKI and new hierarchical shared dependency
system at all and
On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:
On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley jab...@hopcount.ca wrote:
On 2011-01-24, at 20:24, Danny McPherson wrote:
separate subject
Beginning to wonder why, with work like DANE and certificates in DNS
in the IETF, we need an
On Mon, Jan 24, 2011 at 11:27 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:
it's not the best example, but I know that at UUNET there were plenty
of examples of the in-addr tree not really following the BGP path.
The other
On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote:
thinking of using DNS is tempting
The main arguments I see against it are:
1. Circular dependencies.
2. The generally creaky, fragile, brittle, non-scalable state of the
overall DNS infrastructure in general.
Routing and
On Mon, Jan 24, 2011 at 11:52 PM, Roland Dobbins rdobb...@arbor.net wrote:
On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote:
thinking of using DNS is tempting
The main arguments I see against it are:
1. Circular dependencies.
in the end though... if you depend upon something
53 matches
Mail list logo
