>> We are using the same code that RIPE is using at http://certtest.ripe.net. >> RIPE has been very kind to allow us to use their code. As for ARIN, >> this is a pilot and is certainly not a final fixed-feature set. The >> first go of this is the "hosted" solution where an ISP can come into >> ARIN's pilot and create ROAs based off of allocations that they >> have received from ARIN. >> >> All the ROAs will be placed into a rsync repository that can be retrieved >> and validated. Specifically, here are the features that are a part of the >> system: >> >> * Enables ARIN resource holders to request certificates for their IPv4 and >> IPv6 Provider Aggregatable (PA) resources >> * Enables ARIN resource holders to manage Route Origin Authorizations >> (ROAs) >> for their PA address space >> * Provides a public repository of certificates and ROAs >> * Handles key rollovers and revocations > > the simple version of the question: who holds my private key(s)?
i guess the answer is ARIN does. not very private are they. > the longer version: does this implement my having my own subsidiary CA > with it communiciating with ARIN's and RIPE's ... using the protocols of > the ietf sidr work? i guess not. so how do i, a transit provider arin member, get certs and roas for my downstream multi-homed customers? randy
