About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPEDatabase

  • To: Patrik Fältström < >
  • From: George Michaelson < >
  • Date: Mon, 14 Jul 2003 19:15:54 +1000
  • Cc: "Sanjaya" < >
    "'Kurt Erik Lindqvist'" < >
    < >
    < >
  • Organization: APNIC Pty Ltd
On Mon, 14 Jul 2003 07:47:11 +0200 Patrik Fältström paf@localhost wrote:

> On måndag, jul 14, 2003, at 02:53 Europe/Stockholm, Sanjaya wrote:
> 
> > Yes we run our own root-CA, and the first step is for the client
> > to install APNIC root CA in its trusted root store.
> 
> Good.
> 
> > We're using the OpenCA software (www.openca.org) and modify
> > it to suit our purpose. When we issue a certificate, an e-mail
> > containing download url + instruction is sent to the requestor.
> 
> ...which imply each customer/user of yours have to get a certificate 
> from you which they are to use in the communication with you?
> 
>     paf
> 

Yes. 

There are open questions here, about capabilities in the wider community to
understand PKI, and also about the nature of certification: right now we are
only doing identity certificates for people, but we are using them to
gateway access into I.T. Systems, which makes them agents for authorization as
well as authentication.  They are being presented to SSL enabled webservers,
which then use the identity knowledge to decide to enable/permit a privileged
operation like a whois object update. Right now, the APNIC model has stored
tokens in the web database backend, but we'd expect that we could bypass those,
if we took the PKI model all the way to the whois.

When we discuss PKIX, and things like S-BGP or SO-BGP, it introduces questions
about how we will tie certificates to resources, what are the properties of the
certificate we need to play with to represent the resource, how 'unitary' are
these assertions or can they authenticate a range, and bless instances of the
sub-range as well.. This is an area we are going to need to discuss widely.

The Lynn/Kent/Seo draft on X.509 Address and AS identifiers in certificates is
the first document I've seen coming from the IETF which treads into this area
and I think the RIR community needs to review and participate in this
discussion.

draft-ietf-pkix-x509-ipaddr-as-extn-01.txt

cheers
	-George

-- 
George Michaelson       |  APNIC
Email: ggm@localhost    |  PO Box 2131 Milton QLD 4064
Phone: +61 7 3367 0490  |  Australia
  Fax: +61 7 3367 0482  |  http://www.apnic.net
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community