[115573] in North American Network Operators' Group
Re: question about Mark Koster's ARIN presentation
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Jun 29 21:50:38 2009
Date: Tue, 30 Jun 2009 10:50:24 +0900
From: Randy Bush <randy@psg.com>
To: Mark Kosters <markk@arin.net>
In-Reply-To: <m2bpocj64c.wl%randy@psg.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>, Sandy Murphy <sandy@tislabs.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> We are using the same code that RIPE is using at http://certtest.ripe.net.
>> RIPE has been very kind to allow us to use their code. As for ARIN,
>> this is a pilot and is certainly not a final fixed-feature set. The
>> first go of this is the "hosted" solution where an ISP can come into
>> ARIN's pilot and create ROAs based off of allocations that they
>> have received from ARIN.
>>
>> All the ROAs will be placed into a rsync repository that can be retrieved
>> and validated. Specifically, here are the features that are a part of the
>> system:
>>
>> * Enables ARIN resource holders to request certificates for their IPv4 and
>> IPv6 Provider Aggregatable (PA) resources
>> * Enables ARIN resource holders to manage Route Origin Authorizations (ROAs)
>> for their PA address space
>> * Provides a public repository of certificates and ROAs
>> * Handles key rollovers and revocations
>
> the simple version of the question: who holds my private key(s)?
i guess the answer is ARIN does. not very private are they.
> the longer version: does this implement my having my own subsidiary CA
> with it communiciating with ARIN's and RIPE's ... using the protocols of
> the ietf sidr work?
i guess not.
so how do i, a transit provider arin member, get certs and roas for my
downstream multi-homed customers?
randy
