About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPEDatabase

  • To: George Michaelson < >
  • From: "Larry J. Blunk" < >
  • Date: 16 Jul 2003 12:20:08 -0400
  • Cc: Patrik Fältström < >
    Sanjaya < >
    "'Kurt Erik Lindqvist'" < >
  • Organization: Merit Network, Inc.
On Mon, 2003-07-14 at 05:15, George Michaelson wrote:
> On Mon, 14 Jul 2003 07:47:11 +0200 Patrik Fältström paf@localhost wrote:
> 
> > On måndag, jul 14, 2003, at 02:53 Europe/Stockholm, Sanjaya wrote:
> > 
> > > Yes we run our own root-CA, and the first step is for the client
> > > to install APNIC root CA in its trusted root store.
> > 
> > Good.
> > 
> > > We're using the OpenCA software (www.openca.org) and modify
> > > it to suit our purpose. When we issue a certificate, an e-mail
> > > containing download url + instruction is sent to the requestor.
> > 
> > ...which imply each customer/user of yours have to get a certificate 
> > from you which they are to use in the communication with you?
> > 
> >     paf
> > 
> 
> Yes. 
> 
> There are open questions here, about capabilities in the wider community to
> understand PKI, and also about the nature of certification: right now we are
> only doing identity certificates for people, but we are using them to
> gateway access into I.T. Systems, which makes them agents for authorization as
> well as authentication.  They are being presented to SSL enabled webservers,
> which then use the identity knowledge to decide to enable/permit a privileged
> operation like a whois object update. Right now, the APNIC model has stored
> tokens in the web database backend, but we'd expect that we could bypass those,
> if we took the PKI model all the way to the whois.
> 
> When we discuss PKIX, and things like S-BGP or SO-BGP, it introduces questions
> about how we will tie certificates to resources, what are the properties of the
> certificate we need to play with to represent the resource, how 'unitary' are
> these assertions or can they authenticate a range, and bless instances of the
> sub-range as well.. This is an area we are going to need to discuss widely.
> 
> The Lynn/Kent/Seo draft on X.509 Address and AS identifiers in certificates is
> the first document I've seen coming from the IETF which treads into this area
> and I think the RIR community needs to review and participate in this
> discussion.
> 
> draft-ietf-pkix-x509-ipaddr-as-extn-01.txt
> 
> cheers
> 	-George



   The following Internet Draft was published a few weeks ago --

http://www.ietf.org/internet-drafts/draft-weis-sobgp-certificates-00.txt

   It employs a "web of trust" model.  The exact role of the RIR
community under this model seems to be somewhat murky.

-Larry Blunk
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community