Re: [Last-Call] [lamps] Fwd: Last Call: <draft-ietf-sidrops-rpki-has-no-identity-04.txt> (The I in RPKI does not stand for Identity) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Jenkins <m.jenkins.364706@xxxxxxxxx> wrote:
    > It appears that RPKI certificates are actually authorization bearer tokens
    > issued by the CA. The CA holds the private key, and the INR holder doesn't?
    > But somehow does, and is somehow using it to sign invoices and love
    > letters.

I read that part too, and I was a bit confused as well.
It's not that the CA holds the private key to the EE RPKI certificate.

It's that, the EE RPKI certificate, being a certificate, is signed by the CA.
(Exactly as you'd expect any CA->EE certificate).
The RPKI certificate is a statement of ownership of INRs by that EE.
That certificate can be updated/replaced based upon somewhat weak
username/passwords logins to the RIR's web sites.

The EE certificate can then be used in various forms of BGP security (mostly
not yet well deployed), and also to sign policy objects about which ASN is
authoritative for which prefixes.

    > Ultimately, I'm not sure why anyone will pay attention to this RFC(-to-be)
    > any more than RFC 6480, which apparently already says "An important
    > property of this PKI is that certificates do not attest to the identity of
    > the subject" - which again calls into question whether these are
    > certificates at all (as opposed to authorization tokens). Maybe the
    > solution isn't more RFCs asserting the lack of identity binding, but more
    > token management?

I agree.
I don't think another RFC will help among those technical people who really
understand things, nor will help among the semi-technical lawyers who don't understand things.
It's only the people in between that might be impressed by an RFC.

If I want to sign an agreement with AS64512 for something, and my lawyer says
that I can obtain AS64512's public key from the RPKI, then it seems like
maybe that's between me and my lawyer.
Maybe we also want to exchange some hashes of SubjectPublicKeyInfo as well,
but that would really be a private discussion.

Should I be concerned that the people who control the HSM for AS64512 might
not be authoritative to sign contracts?  Sure.   Do I need an RFC to tell me
that?  I dunno.

--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux