alex, i am not gonna argue with you.
96% of your users will be happy for you to do everything for them,
despite the fact that the wrong holder has the keys (and, as john says,
the liability).
but 96% of your address space, i.e. the large holders, will want to hold
their own keys and talk up/dow
On 4 Oct 2010, at 23:18, Randy Bush wrote:
1) We have not implemented support for this yet. We plan to go live
with the fully hosted version first and extend it with support for
non-hosted systems around Q2/Q3 2011.
this is a significant slip from the 1q11 we were told in prague. care
to expl
> 1) We have not implemented support for this yet. We plan to go live
> with the fully hosted version first and extend it with support for
> non-hosted systems around Q2/Q3 2011.
this is a significant slip from the 1q11 we were told in prague. care
to explain.
> Randy Bush who is cc-ed may be ab
>>
>> No... I'm saying that if ISPs aren't the only entities that hold their
>> private keys, then they aren't the only entities that can sign their
>> resources.
>
> The hosted system that we created uses Hardware Signing Modules (HSM)
> for generating keys and signing operations. By design it i
>
>> I'll go a step further and say that the resource holder should be
>> the ONLY holder of the private key for their resources.
>>
>> Owen
>
> If you're saying that ISPs can only participate in an RPKI scheme if they
> run their own Certificate Authority, then I think that would practically
>
The thread got a bit torn apart due to some cross posting, so here are
Randy and Owen's replies to keep it all together:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
>
> On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>
>>> Do you think there is value in creating a system like this?
>>
>> yes. though, given issues of errors and deliberate falsifications, i am
>> not entirely comfortable with the whois/bgp combo b
qu...@ripe.net wrote:
Message: 1
From: Alex Band
Date: Sun, 3 Oct 2010 19:08:33 +0200
To: ncc-services...@ripe.net,
routing...@ripe.net
Subject: [routing-wg] RPKI Resource Certification: building features
Most of the discussions around RPKI Resource Certification that have =
been held up to now h
And here is my reply to them...
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications,
i am
not entirely comfortable wi
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>> Do you think there is value in creating a system like this?
>
> yes. though, given issues of errors and deliberate falsifications, i am
> not entirely comfortable with the whois/bgp combo being considered
> formally authoritative. but we have to
> Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications, i am
not entirely comfortable with the whois/bgp combo being considered
formally authoritative. but we have to do something.
> Are there any glaring holes that I miss
Most of the discussions around RPKI Resource Certification that have been held
up to now have largely revolved around infrastructure and policy topics. I
would like to move away from that here and discuss what kind of value and which
features can be offered with Certification for network adminis
12 matches
Mail list logo
