Ryan Shea wrote:
An RIR may not have the same incentives to verify that me and my public
key are truly associated with AS702 - so as an RP I need to think about
how much I trust that the public key associated with a ROA that comes
from this RIR. Further, as a provider I do not have the same ability to
take my business elsewhere with regards to an RIR and allocated
resources. As a corporation I can choose to end all associations with
CyberTrust, both as a signer of our certificates and as a trusted CA
much easier than cutting all ties with an RIR in a region I operate.
The survival of an RIR is not as intricately tied to its vigilance as
with the SSL model - that is the gist of what I am saying.
Ryan,
You are stating that only an RIR can certify a resource (which is allocated
through that RIR). This is not true. On the contrary, _anyone_ can certify
your resources. The question is, who will the third parties (ie. not you and
not the certifier(s)!) trust -- the entity whose business is to _know_ who
has those resources, or someone else?
As Steve have already explained numerous times, anyone can nominate
themselves to be a Trust Anchor for RPKI (or any other PKI), but that's just
a self-proclamation. Again, third parties (people who will verify stuff)
will choose TAs, based on who they trust.
So you're absolutely free to go talk to for example Bert, and ask him to
certify your allocation. He actually might, as he's a respected pers^H^H^H^H
individual, everyone knows him, and he has been signing the DNS root for
years, so he also has a good track record. I for one would trust the guys
whose business is to manage resources, to certify those resources (no
offense, Bert :-)
Robert
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
