About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [g4] Re: [ca-tf] Draft pre-read document for the CA-TF workshopof 13 February

  • To: Daniel Karrenberg <
    >
  • From: Henk Uijterwaal <
    >
  • Date: Wed, 14 Feb 2007 15:49:50 +0100
  • Cc: Leo Vegoda <
    >,Andrew de la Haye <
    >,RIPE NCC Senior Management <
    >,
  • Organization: RIPE NCC
Hi all,


It is often implied that certification will improve the overall quality
of registration data and provide a better handle on who is the user of a
certain block of address space.  I argue that it is more likely that this
will not be the case:

1) New certificates for existing address space will be based on the
current registration data.  So by definition they cannot be more
accurate.

If we hand out certificates for all our data based on current registration
data, then yes, you are right.  If, OTOH, we only make certificates available
to people who ask for it, then the data quality will improve, as one can ask
the LIR to check the data before the certificate is handed out.


2) When certificates and registration databases co-exist both systems
will diverge and show different information. Is this an improvement?

No, it is not, but then I would not design the system such that there are
two master DB's that are independently maintained.  There should be one
that is the master and is maintained.  All other systems should pull
their information from there.

And all business/system analysis that we have done so far, assumes that
there is one (internal) registration DB, with all resources belonging to
a LIR.  If there are changes, that one is updated, then the certificate
is generated from that data and thus will always be consistent with our
internal records.  This obviously doesn't help, but nor does it have a
negative impact, on DB's that people maintain themselves.



The registration databases also serve valid functions for
other users ranging from policy makers via law-enforcement to individual
Internet users. Deterioration of the databases will cause dissatisfaction
and resistance from those users. How are we going to deal with that?

I think the focus will change:

* It will be clear that the person who is asking another party to do something
  with a resource, is actually authorized to use it, thus reducing the number
  of incidents.

* Certificates will have to be renewed.  At this point, one can ask people to
  verify if data is still correct, and if not, correct it before the new cert
  is generated.  (And this is something that can be automated to a large
  extend).

Henk



--
------------------------------------------------------------------------------
Henk Uijterwaal                           Email: henk.uijterwaal(at)ripe.net
RIPE Network Coordination Centre          http://www.amsterdamned.org/~henk
P.O.Box 10096          Singel 258         Phone: +31.20.5354414
1001 EB Amsterdam      1016 AB Amsterdam  Fax: +31.20.5354445
The Netherlands        The Netherlands    Mobile: +31.6.55861746
------------------------------------------------------------------------------

# Lawyer: "Now sir, I'm sure you are an intelligent and honest man--"
# Witness: "Thank you. If I weren't under oath, I'd return the compliment."
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community