[87022] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Nov 28 21:45:34 2005
From: Randy Bush <randy@psg.com>
Date: Mon, 28 Nov 2005 16:45:02 -1000
To: Sandy Murphy <sandy@tislabs.com>
Cc: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
> proof of identity
> S(withRIRkey, AS_A_key, AS_A)
> or
> S(withwebofttrustkeys, AS_A_key, AS_A)
> maybe Randy is saying this is two steps, not an "OR"
S(withRIRkey, someNonRIRidentity, asA)
i.e. the rir attests that the entity whose identity is externally
certified has been issued asA (or prefixP).
the isp may have gotten their identity from thawte, some web
of trust, or santa claus. the point, as smb notes, is that
the public cert of the isp is given to the rir(s) as part of
the business contract. it has no need to be rir-generated,
though the rirs offering cert generation as a service will
likely be useful to small lirs who have no other corporate
buiness/privacy preferences.
randy
