On 05/04/2012 11:01 PM, Jakob Heitz wrote:
Might it be possible to create the key pair on the router? Then you don't have to move the private key to the router, You move the public key off the router. Much easier.
you could, but I presume the thing being created is really a cert (ee-cert) and is signed by the 'as-cert' that is published in the RPKI so folk can say: This route I see, is signed by bloof123 which is signed by bloof-asn - that looks like AS123's cert, and the sig is in the place where AS123 is supposed to be"
So, you'd need to effectively (I think) do a CSR, send that to the CA for signing, and off back with the actual Cert to the device.
-chris _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
