[86947] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
daemon@ATHENA.MIT.EDU (George Michaelson)
Wed Nov 23 21:00:45 2005
Date: Thu, 24 Nov 2005 12:00:10 +1000
From: George Michaelson <ggm@apnic.net>
To: "william(at)elan.net" <william@elan.net>
Cc: Randy Bush <randy@psg.com>, Sandy Murphy <sandy@tislabs.com>,
nanog@nanog.org
In-Reply-To: <Pine.LNX.4.62.0511231738400.14562@sokol.elan.net>
Errors-To: owner-nanog@merit.edu
On Wed, 23 Nov 2005 17:54:44 -0800 (PST)
"william(at)elan.net" <william@elan.net> wrote:
>
>
> On Thu, 24 Nov 2005, George Michaelson wrote:
>
> > According to what I understand, there have to be two certificates
> > per entity:
> >
> > one is the CA-bit enabled certificate, used to sign
> > subsidiary certificates about resources being given to other people
> > to use.
> >
> > the other is a self-signed NON-CA certificate, used to sign
> > route assertions you are attesting to yourself: you make
> > this cert using the CA cert you get from your logical parent.
>
> So how is the 2nd one different from the first?
the important distinction is that the certificate used to sign resource
assertions doesn't have the CA bit set.
-George
