On Dec 6, 2012, at 5:54 PM, Arturo Servin wrote: > Eric > > Chris said much better than me. Hosted rpki is like the "go-daddy" of > RPKI. It is intended as a bootstraping solution to take rpki up.
Maybe you can help me answer the questions I posed in my last email then? :-P > The hosted solution is not aimed to everybody, it is aimed to > small/medium operators that otherwise would struggle to sign their > resources, run a CA, and run a repository. How do they get their private keys from you? This is important to think through _now_ before it becomes an operational blackhole... Also, what happens if you get DDoS'ed and I need your services? In DNS, there are a lot of registrars to choose from, and no single point of failure... The RIRs are not as plentiful in numbers as them, so you are a higher value target this way... > Large operators DO NOT need to use the hosted solution, they can if > they want but they can run their own CAs and they should. Anyone who uses you would need these services, it seems like it would be worth working out the ``what ifs,'' no? > About the EE certs for router I didn't explain correctly. Hosted > solution do not have it now because they haven't been defined yet (we > are still arguing about BGPSEC specs). However, in the moment that the > specs are ready router certs will be supported. If we've enshrined operations and practices (i.e. the hosted/HSM model) because we didn't think through the complexities, and that later impedes our needs, then we have been negligent. This seems like a pretty serious problem and it ought to be worked out now before we decide people should be doing the hosted anything. Eric _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
