[157332] in North American Network Operators' Group
Re: If you are using APNIC as an RPKI trust anchor,
daemon@ATHENA.MIT.EDU (George Michaelson)
Mon Oct 15 20:46:37 2012
From: George Michaelson <ggm@algebras.org>
In-Reply-To: <m2zk3nk3ei.wl%randy@psg.com>
Date: Tue, 16 Oct 2012 10:44:26 +1000
To: Randy Bush <randy@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 16/10/2012, at 4:15 AM, Randy Bush <randy@psg.com> wrote:
>> APNIC will be switching to a new RPKI 'split' trust anchor system on
>> the 25th of October. This change is needed to align APNIC administered
>> resources with their allocation hierarchy. These resources will also
>> be certified under each responsible parent registry at the appropriate
>> time.
>> ...
>> If you have any questions please contact me.
>
> ok. i'll bite. what the heck is this meant to support? i thought the
> rirs were moving from five TALs to one.
>
> randy, very confused
>
Randy, we have an operational need to separate the existing single TAL
into its discrete components for each source, so we can have production
certificates for each source, so that we can ultimately have them signed
under their appropriate parent registry,
Once there is a global trust anchor, you can validate the 5 APNIC operating
CA under a single root, single TAL. Until then, an APNIC TAL is necessary.
-George
