[86962] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Nov 24 20:07:56 2005
Date: Thu, 24 Nov 2005 20:07:19 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: nanog@nanog.org
In-Reply-To: <20051124033046.0D3BD3BFC6B@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
On Wed, 23 Nov 2005, Steven M. Bellovin wrote:
> I think the problem is both easier and harder than painted. First, you
> need a business agreement that you will accept each others' assertions
> of member identities, aka certificates. Second, you have to agree on a
> common format and meaning for certain fields, including thinks like
> CRLs.
>
> I'm not sure if I think the technical specs or the business agreement
> are the hard parts...
Ah the business issues start bubbling to the surface. Have you noticed
for various reasons network service providers don't like to "sign"
or "certify" the business activities of other entities. In the 1990's
several network service providers (AT&T, BBN, etc) established PKIs, but
now very few network service provider will "certify" S/MIME e-mail, SSL
web, or other type of third-party activity.
Although techincal folks may think its just about math, unfortunately some
people think certificates and signatures mean more than just mathmatical
formulas. I'm a bit confused why people think network service providers
will be willing to "certify" transitive trust relationships about business
relationships between third-parties.
