I don't understand why you can't have a hosted solution where the private keys are not held by the host.
Seems to me you should be able to use a Java Applet to do the private key generation and store the private key on the end-user's machine, passing objects that need to be signed by the end user down to the applet for signing. This could be just as low-entry for the user, but, without the host holding the private keys. What am I missing? Owen On Jan 29, 2011, at 1:06 PM, Arturo Servin wrote: > > I agree with Alex that without a hosted solution RIPE NCC wouldn't have > so many ROAs today, for us, even with it, it has been more difficult to roll > out RPKI among our ISPs. As many, I do not think that a hosted suits to > everybody and it has some disadvantages but at leas it could help to lower > the entry barrier for some. > > > Speaking about RPKI stats, here some ROA evolution in various TAs (the > data from ARIN is from their beta test, the rest are production systems): > > http://www.labs.lacnic.net/~rpki/rpki-evolution-report_EN.txt > > And visually: > > http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/global-roa-heatmap.png > > and > > http://www.labs.lacnic.net/~rpki/rpki-heatmaps/latest/ > > To see each region. > > http://www.labs.lacnic.net/~rpki/rpki-heatmaps > > Also, bgpmon has a nice whois interface for humans to see ROAs (not > sure if this link was share here or in twitter, sorry if I am duplicating): > > http://bgpmon.net/blog/?p=414 > > > Best regards, > -as > > > > On 29 Jan 2011, at 13:26, Alex Band wrote: > >> John, >> >> Thanks for the update. With regards to offering a hosted solution, as you >> know that is the only thing the RIPE NCC currently offers. We're developing >> support for the up/down protocol as I write this. >> >> To give you some perspective, one month after launching the hosted RIPE NCC >> Resource Certification service, 216 LIRs are using it in the RIPE Region and >> created 169 ROAs covering 467 prefixes. This means 40151 /24 IPv4 prefixes >> and 7274499 /48 IPv6 prefixes now have a valid ROA associated with them. >> >> I realize a hosted solution is not ideal, we're very open about that. But at >> least in our region, it seems there are quite a number of organizations who >> understand and accept the security trade-off of not being the owner of the >> private key for their resource certificate and trust their RIR to run a >> properly secured and audited service. So the question is, if the RIPE NCC >> would have required everyone to run their own certification setup using the >> open source tool-sets Randy mentions, would there be this much certified >> address space now? >> >> Looking at the depletion of IPv4 address space, it's going to be crucially >> important to have validatable proof who is the legitimate holder of Internet >> resources. I fear that by not offering a hosted certification solution, real >> world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet >> community afford that? >> >> Alex Band >> Product Manager, RIPE NCC >> >> P.S. For those interested in which prefixes and ASs are in the RIPE NCC ROA >> Repository, here is the latest output in CSV format: >> http://lunimon.com/valid-roas-20110129.csv >> >> >> >> On 24 Jan 2011, at 21:33, John Curran wrote: >> >>> Copy to NANOG for those who aren't on ARIN lists but may be interested in >>> this info. >>> FYI. >>> /John >>> >>> Begin forwarded message: >>> >>> From: John Curran <jcur...@arin.net<mailto:jcur...@arin.net>> >>> Date: January 24, 2011 2:58:52 PM EST >>> To: "arin-annou...@arin.net<mailto:arin-annou...@arin.net>" >>> <arin-annou...@arin.net<mailto:arin-annou...@arin.net>> >>> Subject: [arin-announce] ARIN Resource Certification Update >>> >>> ARIN continues its preparations for offering production-grade resource >>> certification >>> services for Internet number resources in the region. ARIN recognizes the >>> importance >>> of Internet number resource certification in the region as a key element of >>> further >>> securing Internet routing, and plans to rollout Resource Public Key >>> Infrastructure (RPKI) >>> at the end of the second quarter of 2011 with support for the Up/Down >>> protocol for those >>> ISPs who wish to certify their subdelegations via their own RPKI >>> infrastructure. >>> >>> ARIN continues to evaluate offering a Hosting Resource Certification >>> service for this >>> purpose (as an alternative to organizations having to run their own RPKI >>> infrastructure), >>> but at this time it remains under active consideration and is not >>> committed. We look >>> forward to discussing the need for this type of service and the >>> organization implications >>> atour upcoming ARIN Members Meeting in April in San Juan, PR. >>> >>> FYI, >>> /John >>> >>> John Curran >>> President and CEO >>> ARIN >>> >>> _______________________________________________ >>> ARIN-Announce >>> You are receiving this message because you are subscribed to >>> the ARIN Announce Mailing List >>> (arin-annou...@arin.net<mailto:arin-annou...@arin.net>). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/arin-announce >>> Please contact i...@arin.net if you experience any issues. >>> >>> >>
