Let me start by saying a couple of positive things:
1) In order to even start on securing this space, we are going to need
some sort of certificates
2) As far as I can tell, in order for the certificates to make any sense
they have got to be related to the hierarchy of address assignment.
(Private addresses are a different matter.
SO I do think the approach we are on is the right approach.
But, Steve, I think you are misunderstanding the issue David Conrad
raises. (What follows is my understanding of what he pointed out, and I
could also be confused.)
If there is such a hierarchy, tehn, look at what happens from a leaf ISP
down the tree. They need to reliably be able to advertise their routes,
and have everyone trust their advertiseements if they sign with the key
they registered.
Given the scope, this almost inherently requires that there be a single
(or may a small number of disjoint) starting point. Otherwise,
receivers will not have access to and trust of the chains.
But now turn it around. Suppose that ISP is unsure as to whether they
actually trust the hierarchy. Or even if they trust it now, they are
concerned that with a political change, they might not trust the
situation then. Yes, you can argue that the ISP can register with
whomever they like. But that is only useful if there is trust chain
that other people believe between them and that whomever.
This turns into a massive political and public relations pain.
I don't know a better answer.
But ignoring this dimension of the deployment problem will not serve us
well.
Yours,
Joel
Stephen Kent wrote:
At 9:51 AM +1000 9/15/09, Terry Manderson wrote:
Hi John,
While I appreciate the work by Steve here to allow a relying party to
put on the rose coloured validation glasses, it is an inside view
looking out. That means is allows an organisation to locally say what
it believes is the RPKI view of the world irrespective of what is said
globally.
Terry,
I think you misunderstand the nature of trust anchors in PKIs. No
entity can force all relying parties adopt the entity as a TA, period.
The acceptance of a TA is always a local matter, if the software is
properly designed. For example, in most of my browsers I can choose to
remove the many self-signed CA certs that the browser vendor has chosen
to present to me as TAs. Only if the user (RP) is forced to use software
that fails to offer such choices does a third party have an ability to
impose it's view of who is and is not a TA. This "sphere of influence"
notion is applicable in some contexts, but it is not applicable to all
the ISPs in the world.
So, rather than characterizing the local TA management model that I
presented as "rose coloured validation glasses" I would say that it is a
realistic representation of what RPs ought to be able to do, and what
they will be able to do with the RP software that BBN will make
available in open source form.
So it certainly has its place - but doesn't address David's position
completely where an organisation, such as the UK government, might
wish to validly assert their own independent trust anchor for their
51/8 SIDR hierarchy and have the rest of the relying parties on the
internet collect it and validate routes against it.
The problem is that nobody, including the UK gov, can ensure that every
ISP in the world will recognize it as a TA, period. The sooner folks get
past tjis notion the faster we can have meaningful discussions on this
topic.
Steve
------------------------------------------------------------------------
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr