[135872] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jan 30 12:45:03 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20110130.172804.74653776.sthaug@nethelp.no>
Date: Sun, 30 Jan 2011 09:40:02 -0800
To: sthaug@nethelp.no
Cc: nanog@nanog.org, carlos@lacnic.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 30, 2011, at 8:28 AM, sthaug@nethelp.no wrote:
>>> - Hosted solutions offer a low barrier entry to smaller =
organizations
>>> who simply cannot develop their own PKI infrastructure. This is the
>>> case where they also lack the organizational skills to properly =
manage
>>> the keys themselves, so, in most cases at least, they are *better =
off*
>>> with a hosted solution
>>>=20
>> They also offer an attractive target for miscreants with a huge =
payoff
>> if they are ever compromised.
> ...
>>> For RIPE, their hosted solution is clearly meeting expectations =
within
>>> their region. Other region=B4s mileage may vary. I hope we (LACNIC) =
can
>>> do just as well.
>>>=20
>> We'll see how people feel after the first time it gets pwn3d.
>=20
> I am already trusting RIPE with my data - specifically, RIPE publishes
> route objects for my prefixes, and my transit providers generate their
> prefix lists based on these route objects. I fail to see how a hosted
> RPKI solution would make this situation worse.
>=20
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Because they publish data you have signed. They don't have the ability
to modify the data and then sign that modification as if they were you =
if
they aren't holding the private key. If they are holding the private =
key,
then, you have, in essence, given them power of attorney to administer
your network.
If you're OK with that, more power to you. It's not the trust model I =
would
prefer.
Owen
