RE: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

["Sanjaya" <]

> > In APNIC we use X.509 certificate to secure MyAPNIC (similar to LIR
> > Portal). Having X.509 auth in the whois db would make a better
> > integration with this facility.
> 
> Is this then being widely used? No issues with client support and 
> configurations?

Hi Kurtis,
We have about 450 certificates issued so far. On Windows platform
client support works fine for all browsers (IE, Netscape, Opera,
Mozilla). OS-X is ok with Netscape and Opera (Opera in OS-X has some
problems in handling .css, but that's not X.509 related). Linux
is fine with Netscape and Mozilla.
The hardest thing is to get the requestor to send their photo-id! :-)
which is required by our Certificate Practice Statement.

> > We have also been closely monitoring IETF's PKIX working group
> > where there's an effort to certify ASN and internet addresses to
> > protect routing announcements. This might eventually affect how
> > the public will use the internet routing registry, which is also
> > part or our whois database.
> >
> > We expect X.509 will be used to make certified statements about
> > resource allocation as part of S-BGP or SO-BGP and/or wider
> > requirements for authoritative statements on resources
> >
> I am not following the PKIX WG. Do you have any links to 
> information on this, or how this is planned to be implemented?

For the PKIX draft see:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-
01.txt

On S-BGP check this site:
http://www.ir.bbn.com/projects/sbgp/

On SoBGP:

ftp://ftp-eng.cisco.com/sobgp/index.html

Some comments on soBGP/sBGP:
http://www.psg.com/~randy/030603.nanog-sxbgp.pdf
http://www.nanog.org/mtg-0306/pdf/meyer.pdf

Hope this helps.
Cheers,
Sanjaya

> Best regards,
> 
> - - kurtis -