Re: [ca-tf] Further CA work
-
To: Nigel Titley <nigel.titley@localhost
-
From: Tim Bruijnzeels tim@localhost
-
Date: Mon, 18 May 2009 14:02:13 +0200
Hi all,
also speaking as an individual..
On May 18, 2009, at 12:59 PM, Robert Kisteleki wrote:
(Speaking as an individual.)
Nigel Titley wrote:
Bearing in mind Russ's question in the NCC services group. When are
we
likely to be taking steps beyond the first PKI portal? As he points
out,
this is only the first step and is not really very useful on its own.
The way I interpreted his words (and as I agree with him) is that
having your own certificates about your address space, and maybe
even issuing ROAs is not a useful exercise on its own. But then, the
NCC can only go that far - we can only encourage actual real life
usage and provide the basics for our members. They are the ones that
have to decide if and how they want to use it...
Assuming this goes forward, the CA-TF needs to start chasing things
like
the up-down protocol. Do we have plans for this?
The up-down protocol has been relatively stable as an IETF draft for
quite some time now. I think that the real question is
prioritisation: when do we need to implement it? I would assume that
most of our members (from the subset of them that would actually be
interested in RPKI) will be relatively happy with the hosted
service. We'll have some number of requests for the up-down service.
So what's the threshold to start working on this? One member
request, or five or ten? Or zero?
Just to add to this we will also need the up-down protocol to support
inter-RIR transfers in the longer term. The order of magnitude
estimate from our side is that it will take around 2 months to
implement the spec (dependent on engineer availability of course). It
has been on the to do list since the beginning, but it's a matter of
priorities..
Since it's likely that most people will be able to fly with a fully
hosted, one level model (so no recursive CAs for our members' clients
just yet), we have been focussing on getting that live first. There is
also some work and investment needed here. More to the point HSMs and
setting up the infrastructure is not cheap so we should not do so
unless we have a clear mandate on this. This is one of the reasons why
asked for this mandate at the last RIPE meeting, and if interpret the
feedback correctly it seems that people do want us to go ahead.
Which brings me to list the remaining stuff for go-live without up-down:
- External trust anchor (almost done)
- BPKI service as discussed in CA-TF meeting (presentation by Erik
Rozendaal)
- Implementing new single sign-on model using the new BPKI for the
existing LIR Portal
- HSM integration (pilot results okay, need to choose vendor, order
and finish)
- Set up high available infrastructure and deploy
Whilst we are pretty sure that we have covered the risks for those
tasks we still need to do quite a bit of the actual work on them. I
think it can easily take 3 months given current availability of
resources.
That's my take on it from the technical side anyway. The actual
decision on time line strategy and the allocation of resources is not
done by the technical team. I believe this is something that the CA-TF
needs to express their wishes on, especially to Andrew. So I would
urge the CA-TF to talk to us, especially Andrew, and express their
wishes for the near future time line..
- Live without up-down at RIPE-59?
- Up-down before RIPE-60?
Please bear in mind that there are also non-technical issues that need
to be addressed. E.g. coming up with a CPS and further refine or add
policies where applicable. All this stuff actually generated a lot of
the buzz in the services wg meeting. I think we can not go live
without addressing this. So.. I think we need to start doing so soon,
and make sure it's aligned with the timeline for the technical
implementation/
Cheers,
Tim
Robert
Nigel
Tim Bruijnzeels
Senior Software Developer
RIPE NCC
tim@localhost
+31 20 535 4309
|
you are here: RIPE -> RIPE Maillists > Archives
