Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPEDatabase

[Randy Bush <]

>> so i am supposed to install the RIRs' certs in my browser as root
>> CAs and ignore the big hole for attack this opens?  i already
>> *remove* a bunch of root CAs when i bring up a new browser.  this
>> is the new internet.  get paranoid.
> I might overlook something but what's the big hole

someone getting at the root CA key at an RIR

> Specify 'few'.  As far as I know this it is not cheap to have your PKI
> signed by one of the 'well-trusted' root CAs.

maybe not cheap for a student, but an RIR can afford it

> Or are you suggesting that RIPE should select one of the
> commercial root CAs and get all the client certificates from that
> shop?

no, the RIRs can sign their customers certs.

maybe a tutorial is needed on how this stuff works.  paf, is there
one readily available?

> From a trust point of view it is in fact *better* to consciously
> import the RIPE root-ca certificate in your browser then to
> simply trust what's in your root certificate store.

when the RIRs' procedures to protect their root CA keys are audited
by third parties who have the expertise to do so.

randy