[96222] in North American Network Operators' Group
Re: IP Block 99/8 (DHS insanity - offtopic)
daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Apr 24 06:25:38 2007
Date: Tue, 24 Apr 2007 06:24:46 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0704232111070.12021@marvin.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
> I think the strawman proposals so far were something like:
>
> 1) iana has 'root' ca-cert
> 2) iana signs down certs for RIR's
> 3) RIR's sign down certs for LIR's
> 4) LIR's sign down certs for 'users' (where 'users' is probably
> address-space users, like corporations or end-sites)
>
> This seemed not-too-insane, and would give ISP/operator type folks that
> ability to easily and quickly verify that:
>
> 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
>
> with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs,
etc are just the math. But the math doesn't change the trust. If the
LIR/RIR directories are poorly maintained, their signatures aren't going
to be any better.
The problem in your trust chain above is the LIR's don't actually verify
much about the 'users'; and its very easy to spoof the LIRs (i.e. I
forgot my password) to change their directory information. And the same
thing will probably be true when you ask LIRs to sign things. I lost my
RSA cert, please sign a new one for "me".
An online chain of RWHOIS delegations or a offline chain of RSA
certificates (which you will still need an online CRL check), doesn't
change the problems in the LIRs (or even RIRs or IANA). A lot of math
won't make the answer more authoritative.
