In message <[EMAIL PROTECTED]>, Randy Bush writes:
>> We need prefix ownership certs; these need a special field identifying the
>> prefix owned. (See RFC 3779, which also describes AS certificates). We
>> need the latter in CA form, for delegation.
>
>sorry to complicate, by iana allocates as r
On Wed, 23 Nov 2005 17:42:21 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> > We need prefix ownership certs; these need a special field
> > identifying the prefix owned. (See RFC 3779, which also describes
> > AS certificates). We need the latter in CA form, for delegation.
yes. the resource c
> We need prefix ownership certs; these need a special field identifying the
> prefix owned. (See RFC 3779, which also describes AS certificates). We
> need the latter in CA form, for delegation.
sorry to complicate, by iana allocates as ranges which are then
subbed to rirs. so the ca bit coul
In message <[EMAIL PROTECTED]>, Randy Bush writes:
>
We are discussing how we can do subsidiary certificate services like
this in APNIC but I think this goes outside of routing policy and
into registry business practices which are unlikely to be common
for all RIR and NIR in th
In message <[EMAIL PROTECTED]>, George Michaelson writes
:
>
>On Wed, 23 Nov 2005 17:54:44 -0800 (PST)
>"william(at)elan.net" <[EMAIL PROTECTED]> wrote:
>
>>
>>
>> On Thu, 24 Nov 2005, George Michaelson wrote:
>>
>> > According to what I understand, there have to be two certificates
>> > per en
>>> We are discussing how we can do subsidiary certificate services like
>>> this in APNIC but I think this goes outside of routing policy and
>>> into registry business practices which are unlikely to be common
>>> for all RIR and NIR in the ways that resource certificates *have*
>>> to be.
>>
>
On Wed, 23 Nov 2005 16:39:11 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> >> [0] - i'll want the business cert to have the ca bit if i am
> >> large enough to have internal authorization process, and
> >> thus want to create and manage different certs for dns,
> >> billing, ...
>> [0] - i'll want the business cert to have the ca bit if i am
>> large enough to have internal authorization process, and
>> thus want to create and manage different certs for dns,
>> billing, ...
>
> We are discussing how we can do subsidiary certificate services like
> this
On Wed, 23 Nov 2005 16:03:35 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> > According to what I understand, there have to be two certificates
> > per entity:
> >
> > one is the CA-bit enabled certificate, used to sign
> > subsidiary certificates about resources being given to other people
>
> According to what I understand, there have to be two certificates per
> entity:
>
> one is the CA-bit enabled certificate, used to sign subsidiary
> certificates about resources being given to other people to use.
>
> the other is a self-signed NON-CA certificate, used to sig
On Wed, 23 Nov 2005 17:54:44 -0800 (PST)
"william(at)elan.net" <[EMAIL PROTECTED]> wrote:
>
>
> On Thu, 24 Nov 2005, George Michaelson wrote:
>
> > According to what I understand, there have to be two certificates
> > per entity:
> >
> > one is the CA-bit enabled certificate, used to sign
On Thu, 24 Nov 2005, George Michaelson wrote:
According to what I understand, there have to be two certificates per
entity:
one is the CA-bit enabled certificate, used to sign subsidiary
certificates about resources being given to other people to use.
the other is a s
In message <[EMAIL PROTECTED]>, George Michaelson writes
:
>
>
>According to what I understand, there have to be two certificates per
>entity:
>
> one is the CA-bit enabled certificate, used to sign subsidiary
> certificates about resources being given to other people to use.
>
>
According to what I understand, there have to be two certificates per
entity:
one is the CA-bit enabled certificate, used to sign subsidiary
certificates about resources being given to other people to use.
the other is a self-signed NON-CA certificate, used to sign
> So when one receives an update, which part is it that you verify with
> the certificate derived from the RIR chain and which part is it that you
> verify with the certificate derived from the web-of-trust? I'm guessing
> the answer in part is that there's a signature attesting to the
> prefix o
>My issue is that if ISPs a) only announce networks that they know
>(for different values of know - but hopefully based on some kind of
>trust in the RIR's data) they are authorized to announce, and b) took
>responsibility for the behavior of the paths or prefixes they
>announce, and the bits tha
>in operation, this means that there could be isp- (or ufo-)centric
>isp identity certification (a la web of trust, for example) which
>could have a very separate cert chain from that of address space
>allocation, which, aside from the legacy issue, could come via the
>rirs.
So when one receives
Rodney Joffe wrote:
As another thought: - Love 'em or hate 'em, the PSTN doesn't have this
problem.
Uh, PSTN does have this problem too. If you are part of SS7 you can totally
fake call origination information. This has been and still is abused for
criminal-malicous activities and 'billin
> My issue is that if ISPs a) only announce networks that they know
> (for different values of know - but hopefully based on some kind of
> trust in the RIR's data) they are authorized to announce, and b) took
> responsibility for the behavior of the paths or prefixes they
> announce, and
On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:
not exactly. there are two trusts here. i have to accept that
asns as incompetent at configuration as i are attesting to prefixes
and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their compe
>> not exactly. there are two trusts here. i have to accept that
>> asns as incompetent at configuration as i are attesting to prefixes
>> and paths or i won't be able to get to a large part of the net.
>>
>> but this is orthogonal to my trust in their competence to attest to
>> the identity of
On Nov 22, 2005, at 2:59 PM, Randy Bush wrote:
[ you know all this, but i think it is worth going through the
exercise ]
That said, I think the problem is that we need an algebra of trust
that will let a program, not a human, decide whether or not to
trust a
certficate. You don't want
On Wed, Nov 23, 2005 at 05:45:30PM +0600,
Md. kamal Hossain <[EMAIL PROTECTED]> wrote
a message of 54 lines which said:
> I am a newbie in bgp.
I'm not sure that NANOG charter allow posting by BGP newbies :-) But,
since I'm not an operator myself:
> Would any one describe the as path from th
Dear all
I am a newbie in bgp.Would any one describe the as
path from the looking glass and would tell me some free looking glass
url
best of luck
kamal--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
24 matches
Mail list logo
