[130452] in North American Network Operators' Group
Re: [ncc-services-wg] RPKI Resource Certification: building features
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Oct 3 22:43:57 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <m2pqvqzoa4.wl%randy@psg.com>
Date: Sun, 3 Oct 2010 19:38:52 -0700
To: Randy Bush <randy@psg.com>
Cc: North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>> Do you think there is value in creating a system like this?
>
> yes. though, given issues of errors and deliberate falsifications, i am
> not entirely comfortable with the whois/bgp combo being considered
> formally authoritative. but we have to do something.
>
>> Are there any glaring holes that I missed
>
> yes. the operator should be able to hold the private key to their
> certificate(s) or the meaning of 'private key' and the security
> structure of the [ripe part of the] rpki is a broken.
>
> randy
I'll go a step further and say that the resource holder should be
the ONLY holder of the private key for their resources.
Owen
