From andrew at ripe.net Tue Oct 16 18:45:22 2007 From: andrew at ripe.net (Andrew de la Haye) Date: Tue, 16 Oct 2007 18:45:22 +0200 Subject: [ca-tf] Invitation: informal information exchange with RIPE Certification Task Force Message-ID: Dear colleagues, Per the confirmation sent by Paul and Ray, I am happy to invite you for an informal information exchange meeting on Certification. Agenda: - Current state of affairs - Q & A Date: Monday, October 22nd Venue: Grand Ballroom 9:30am-11:00 Monday If you have any questions, please let me know. Kind regards, Andrew de la Haye From plzak at arin.net Tue Oct 16 19:38:54 2007 From: plzak at arin.net (Ray Plzak) Date: Tue, 16 Oct 2007 13:38:54 -0400 Subject: [ca-tf] RE: Invitation: informal information exchange with RIPE Certification Task Force In-Reply-To: References: Message-ID: As I said in my message to Paul Rendek, Tim Christiansen will be representing ARIN. I would also like to take this opportunity to inform you that Tim will be accompanied by Randy Bush and Rob Austein. Ray > -----Original Message----- > From: Andrew de la Haye [mailto:andrew at ripe.net] > Sent: Tuesday, October 16, 2007 12:45 PM > To: ca-tf at ripe.net; Paul Wilson; Ray Plzak; Geoff Huston; George > Michaelson; Tim.Christensen at arin.net > Subject: Invitation: informal information exchange with RIPE > Certification Task Force > > Dear colleagues, > > Per the confirmation sent by Paul and Ray, I am happy to invite you > for an informal information exchange meeting on Certification. > > Agenda: > - Current state of affairs > - Q & A > > Date: Monday, October 22nd > Venue: Grand Ballroom 9:30am-11:00 Monday > > If you have any questions, please let me know. > > Kind regards, > Andrew de la Haye > From chrisb at ripe.net Mon Oct 22 17:07:10 2007 From: chrisb at ripe.net (Chris Buckridge) Date: Mon, 22 Oct 2007 17:07:10 +0200 Subject: [ca-tf] RIPE Certification Task Force meeting minutes Message-ID: <471CBC9E.2070408@ripe.net> Hi all, Please find attached a draft of the minutes from this morning's task force meeting. Regards, Chris -------------------------------------------- Minutes of the RIPE Certification Task Force meeting, RIPE 55 Grand Hotel Krasnapolsky, Amsterdam Meeting opens 9:38am Andrew de la Haye introduced the session, and outlined the agenda. APNIC ----- Geoff Huston gave an update on APNIC's certification work. APNIC has been working on certification for the past two and half years, and is now very close to producing deliverables. Work has been done in-house using existing programming resources, and the team completed production code for "APNIC as certificate issuer" last week. This currently works off a mirrored database. APNIC have divided their client base into two types: those who issue certificates in their own right, and those who don't. The ones that don't are easy, and will be handled as a hosted service through the existing MyAPNIC portal (this is the next major piece of work). Those who will issue their own certificates, specifically National Internet Registries (NIRs), are still under discussion ? at this point, it's expected that they will have to run the code themselves. APNIC has done some preliminary work on secretariat resources. Hostmasters will not run the machinery, and there will be no operational control over certificates ? the way to change a certificate will be to change the database. APNIC is currently awaiting four other certificates of which APNIC is the subject (these will be issued by the other RIRs), as well as a final decision as to the disposition of the "various" address blocks and the assignation of the authoritative RIR for each such block. The APNIC code has been written in Perl, using OpenSSL, and there hasn't been any inter-operational testing done yet. Geoff noted that it currently takes around four hours to run a sync, but he would like to get it down to two hours. At this stage, APNIC will do automatic issuance of a new certificate if a member receives more resources. Using OpenSSL has meant that it is running a little slower ? CryptLib would have been faster, but OpenSSL has meant it can be done all in-house. The next step for APNIC is to develop a training pack for staff, as it is important for staff to be able to talk about certification and cryptography with ease. Geoff noted that the uptake of X.509 certificates has not been as fast or widespread as hoped, and this was due to a lack of understanding in the community. APNIC is currently looking at a five-day training course for its hostmaster staff on certification. Geoff would like to have a deployment announcement for the APNIC meeting in March, but it is obviously more important to have everything in place first, as there will only be one chance to get this right. The announcement probably won't happen until September. It was noted that the RIPE NCC is in similar position. APNIC have talked a lot with their NIRs, though Geoff noted that the NIRs have a different take on this, in terms of the reasoning behind certification. Progress is being made in this area though. ARIN ---- Tim Christensen outlined ARIN's progress to date. They have faced similar challenges to APNIC, including issues with the adoption of X.509 certificates, so there is obviously a similar need to do better in "selling" certification. There will need to be significant bootstrap activity to get people engaged and understanding - this is the greatest single challenge to making it all work. Tim noted that while people are slow to get interested now, certification will become important if and when routers use these certificates for some purpose. ARIN is behind the curve in terms of an LIR portal, but this is receiving intense internal attention. At this stage, portal and certification deployment will happen, if not in conjunction, then "with great thought toward each other". ARIN is different to APNIC in that it has no NIRs, however it does have 2900 members, and uses SWIPs to permit members to do downstream re-allocations and assignments ? this means there is significant pressure to host certification processes on behalf of customers and the customers of customers, meaning repeated instances of the certification engine. ARIN does not foresee a large number of LIRs running their own certification engines, meaning that ARIN will run everything; the portal therefore becomes more important. Like APNIC, ARIN plans for certification to be a "hostmasterless" operation, and they will therefore need to provide tools to downstream users to drive the certification engine. At this stage, ARIN has done far less work on integrating internal processes with the certification engine. What work has been done has been in conjunction with activity related to the portal. Tim also noted that ARIN does not have the in-house expertise to program the RPKI engine, so this has been farmed out to Randy Bush and Rob Austein. Randy outlined some of the technical work being done by him for ARIN. He and Rob are working toward testable code and ensuring models are correct. They are also having to do work on protocols that APNIC is not doing ? the left-right protocol, how an LIR's back-end speaks to certification engine. They are also planning for there to be a separate relationship with the person that stores your data. APNIC is looking at this differently, in part due to their more aggressive deployment schedule. Randy noted that they are trying to get to inter-operability testing with other operations, and that they hope to be throwing packets around by the IETF meeting in the first week of December. Randy noted the importance of getting the protocol right, however, as other RIRs and some LIRs will be playing with it. He also noted that they had been slowed by a move from Perl to Python. Rob Austein described the work being done on three protocols. The first is a core certification engine (standard code), with a customisable interface for different RIRs or LIRs, with CMS signatures ? this is the "left-right" protocol, and work on this is pretty much done. The second is the "up-down" protocol; this has to be interoperable with all players ? this is not yet fully tested, though a great deal of it has been written. The third protocol (publication) has not yet been written, and will relate to a reasonably small number of operations ? Rob and Randy are not expecting this to be a huge amount of work. They are using OpenSSL for the certification engine at this stage, but are leaning toward CryptLib, even though this would mean another chunk of work. By the time it is finished, they may well be running CryptLib. Rob suspects that the ARIN code may be a little faster than APNIC's due to Python vs Perl. Rob noted that ARIN has been looking to set a firm schedule. Randy agreed, though, that integration is the bigger issue than coding. APNIC is expecting a very small client, while ARIN is looking at different issues. Daniel Karrenberg asked if ARIN has done any left-right testing ? Rob noted that they haven't done any testing with ARIN, but that he has done some testing of his own. Randy noted the need for cooperation on testing. Rob noted that in using Python, making a mistake means there is less code to delete, which makes things easier. This has also meant that the "prototype" may end up as the final code. Randy noted their interest in the RIPE community's perspective on what the customer wants. RIPE ---- Andrew outlined the RIPE approach, and noted that it is focused more on processes and policy than technical details, and looks at processes both within the RIPE NCC and beyond. Regarding technical details, Andrew noted that the RIPE NCC is a Java shop, having moved from Perl. They currently plan to deliver a full prototype in January, which will help in identifying policy issues ? this is looking at front-end rather than back-end. The outputs in this prototype will be certificate-related, but the inputs at this stage will not ? this is beyond the scope of this prototype. The idea is that by looking at a resource "transfer", the prototype will incorporate all the various processes (revoke, assign, etc.). The plan at this stage is to discard the prototype once it has been used to identify the key issues, and then have a production model ready for April-May 2008. Randy asked for some clarification on what the RIPE plan involved, and reiterated the importance of sharing work between the RIRs. Geoff noted that a lot of the spec work for APNIC's certification project was in collective brain-space, but perhaps not written down. Rob noted that the task assigned to him and Randy by ARIN is not to simply develop code for ARIN, but something that can be used by anyone to promote the adoption of a global certification system. Daniel noted that it has been difficult to get feedback from the RIPE task force, but that he is currently compiling several application cases, which he will discuss with the task force in person. This work will look at resource transfers, automation of the provisioning process and integration with the IRR. The results of these meetings will be published as white papers in time for the next RIPE Meeting. Randy noted that he gave a presentation at NANOG a few years back regarding routing and certification which might be useful in preparing these papers. Randy also suggested that there are a number of customer markets that will find this useful: right-of-use issues, routing and resource transfer possibilities will all be affected. Daniel pointed out that he is happy to have any other business cases that he has not identified brought to his attention. It was agreed that the most significant common problem in deploying certification is education, and that the RIRs need to collaborate to ensure that this is done better. Even if user interfaces are slightly different, much of the delivery will be the same. Geoff noted that conversations internally have often been on different levels (service area vs technical area), and that is important to get people onto the same level ? this is why APNIC is preparing a five-day course for their service department. Geoff also noted that it is necessary to get the services side to identify what they expect to be taught/to learn, as the technical teams may not understand this. Related to this, Daniel pointed out that we are currently doing our homework on what the user wants, but it is turning out to be harder than expected. Paul Rendek noted that there is no team coordinating how this will work inter-RIR, and that some initiative may be required in organising this. Geoff agreed, and noted that sharing between RIRs has generally happened more effectively through informal channels. Geoff noted that the the RIPE community does appear to be supportive of certification, if only from their silence. Daniel noted that this is perhaps a premature evaluation, but that the task force is moving forward. Meeting closed 10:50am