From nigel.titley at uk.easynet.net Wed May 6 17:18:58 2009 From: nigel.titley at uk.easynet.net (Nigel Titley) Date: Wed, 06 May 2009 17:18:58 +0200 Subject: [ca-tf] Further CA work Message-ID: <4A01AA62.2000100@uk.easynet.net> Bearing in mind Russ's question in the NCC services group. When are we likely to be taking steps beyond the first PKI portal? As he points out, this is only the first step and is not really very useful on its own. Assuming this goes forward, the CA-TF needs to start chasing things like the up-down protocol. Do we have plans for this? Nigel From robert at ripe.net Mon May 18 12:59:49 2009 From: robert at ripe.net (Robert Kisteleki) Date: Mon, 18 May 2009 12:59:49 +0200 Subject: [ca-tf] Further CA work In-Reply-To: <4A01AA62.2000100@uk.easynet.net> References: <4A01AA62.2000100@uk.easynet.net> Message-ID: <4A113FA5.70205@ripe.net> (Speaking as an individual.) Nigel Titley wrote: > Bearing in mind Russ's question in the NCC services group. When are we > likely to be taking steps beyond the first PKI portal? As he points out, > this is only the first step and is not really very useful on its own. The way I interpreted his words (and as I agree with him) is that having your own certificates about your address space, and maybe even issuing ROAs is not a useful exercise on its own. But then, the NCC can only go that far - we can only encourage actual real life usage and provide the basics for our members. They are the ones that have to decide if and how they want to use it... > Assuming this goes forward, the CA-TF needs to start chasing things like > the up-down protocol. Do we have plans for this? The up-down protocol has been relatively stable as an IETF draft for quite some time now. I think that the real question is prioritisation: when do we need to implement it? I would assume that most of our members (from the subset of them that would actually be interested in RPKI) will be relatively happy with the hosted service. We'll have some number of requests for the up-down service. So what's the threshold to start working on this? One member request, or five or ten? Or zero? Robert > Nigel > From tim at ripe.net Mon May 18 14:02:13 2009 From: tim at ripe.net (Tim Bruijnzeels) Date: Mon, 18 May 2009 14:02:13 +0200 Subject: [ca-tf] Further CA work In-Reply-To: <4A113FA5.70205@ripe.net> References: <4A01AA62.2000100@uk.easynet.net> <4A113FA5.70205@ripe.net> Message-ID: Hi all, also speaking as an individual.. On May 18, 2009, at 12:59 PM, Robert Kisteleki wrote: > (Speaking as an individual.) > > Nigel Titley wrote: >> Bearing in mind Russ's question in the NCC services group. When are >> we >> likely to be taking steps beyond the first PKI portal? As he points >> out, >> this is only the first step and is not really very useful on its own. > > The way I interpreted his words (and as I agree with him) is that > having your own certificates about your address space, and maybe > even issuing ROAs is not a useful exercise on its own. But then, the > NCC can only go that far - we can only encourage actual real life > usage and provide the basics for our members. They are the ones that > have to decide if and how they want to use it... > >> Assuming this goes forward, the CA-TF needs to start chasing things >> like >> the up-down protocol. Do we have plans for this? > > The up-down protocol has been relatively stable as an IETF draft for > quite some time now. I think that the real question is > prioritisation: when do we need to implement it? I would assume that > most of our members (from the subset of them that would actually be > interested in RPKI) will be relatively happy with the hosted > service. We'll have some number of requests for the up-down service. > So what's the threshold to start working on this? One member > request, or five or ten? Or zero? > Just to add to this we will also need the up-down protocol to support inter-RIR transfers in the longer term. The order of magnitude estimate from our side is that it will take around 2 months to implement the spec (dependent on engineer availability of course). It has been on the to do list since the beginning, but it's a matter of priorities.. Since it's likely that most people will be able to fly with a fully hosted, one level model (so no recursive CAs for our members' clients just yet), we have been focussing on getting that live first. There is also some work and investment needed here. More to the point HSMs and setting up the infrastructure is not cheap so we should not do so unless we have a clear mandate on this. This is one of the reasons why asked for this mandate at the last RIPE meeting, and if interpret the feedback correctly it seems that people do want us to go ahead. Which brings me to list the remaining stuff for go-live without up-down: - External trust anchor (almost done) - BPKI service as discussed in CA-TF meeting (presentation by Erik Rozendaal) - Implementing new single sign-on model using the new BPKI for the existing LIR Portal - HSM integration (pilot results okay, need to choose vendor, order and finish) - Set up high available infrastructure and deploy Whilst we are pretty sure that we have covered the risks for those tasks we still need to do quite a bit of the actual work on them. I think it can easily take 3 months given current availability of resources. That's my take on it from the technical side anyway. The actual decision on time line strategy and the allocation of resources is not done by the technical team. I believe this is something that the CA-TF needs to express their wishes on, especially to Andrew. So I would urge the CA-TF to talk to us, especially Andrew, and express their wishes for the near future time line.. - Live without up-down at RIPE-59? - Up-down before RIPE-60? Please bear in mind that there are also non-technical issues that need to be addressed. E.g. coming up with a CPS and further refine or add policies where applicable. All this stuff actually generated a lot of the buzz in the services wg meeting. I think we can not go live without addressing this. So.. I think we need to start doing so soon, and make sure it's aligned with the timeline for the technical implementation/ Cheers, Tim > Robert > >> Nigel > Tim Bruijnzeels Senior Software Developer RIPE NCC tim at ripe.net +31 20 535 4309 From nigel at titley.com Wed May 6 16:36:27 2009 From: nigel at titley.com (Nigel Titley) Date: Wed, 06 May 2009 16:36:27 +0200 Subject: [ca-tf] Further CA work Message-ID: <4A01A06B.80203@titley.com> Bearing in mind Russ's question in the NCC services group. When are we likely to be taking steps beyond the first PKI portal? As he points out, this is only the first step and is not really very useful on its own. Assuming this goes forward, the CA-TF needs to start chasing things like the up-down protocol. Do we have plans for this? Nigel