[g4] Re: [ca-tf] Draft pre-read document for the CA-TF workshop of 13 February
Henk Uijterwaal henk at ripe.net
Wed Feb 14 15:49:50 CET 2007
Hi all, > It is often implied that certification will improve the overall quality > of registration data and provide a better handle on who is the user of a > certain block of address space. I argue that it is more likely that this > will not be the case: > > 1) New certificates for existing address space will be based on the > current registration data. So by definition they cannot be more > accurate. If we hand out certificates for all our data based on current registration data, then yes, you are right. If, OTOH, we only make certificates available to people who ask for it, then the data quality will improve, as one can ask the LIR to check the data before the certificate is handed out. > 2) When certificates and registration databases co-exist both systems > will diverge and show different information. Is this an improvement? No, it is not, but then I would not design the system such that there are two master DB's that are independently maintained. There should be one that is the master and is maintained. All other systems should pull their information from there. And all business/system analysis that we have done so far, assumes that there is one (internal) registration DB, with all resources belonging to a LIR. If there are changes, that one is updated, then the certificate is generated from that data and thus will always be consistent with our internal records. This obviously doesn't help, but nor does it have a negative impact, on DB's that people maintain themselves. > The registration databases also serve valid functions for > other users ranging from policy makers via law-enforcement to individual > Internet users. Deterioration of the databases will cause dissatisfaction > and resistance from those users. How are we going to deal with that? I think the focus will change: * It will be clear that the person who is asking another party to do something with a resource, is actually authorized to use it, thus reducing the number of incidents. * Certificates will have to be renewed. At this point, one can ask people to verify if data is still correct, and if not, correct it before the new cert is generated. (And this is something that can be automated to a large extend). Henk -- ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.amsterdamned.org/~henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ # Lawyer: "Now sir, I'm sure you are an intelligent and honest man--" # Witness: "Thank you. If I weren't under oath, I'd return the compliment."
[ Ca-tf Archive ]
