About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

RE: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

  • From: "Sanjaya" < >
    < >
  • Date: Fri, 18 Jul 2003 14:05:04 +1000
Hi all,

APNIC has a "terms and conditions" but it is not yet a formal CPS.
We are working on that.

We also have investigated cross-certification from a well known
commercial CA on February this year. However, the quoted price
of US$50,000 a year is not justified in our opinion.

We are also considering a formal audit once our CPS has been
formalised.

Please note that at present our certificates are used for identifying
member staff to access internal aplication (MyAPNIC), so the subject of 
third-party trust issues may not yet apply.  By the time 3rd parties 
become involved (eg allocation/route certification), we would certainly 
have more standard CA/PKI structures in place.

This is a new area for most of us, and we are very open to advice and
input from the community.

Cheers,
Sanjaya
APNIC CA Project Manager

> -----Original Message-----
> From: db-wg-admin@localhost [
	    
	    

] On 
> Behalf Of Randy Bush
> Sent: Thursday, 17 July 2003 12:52 AM
> To: Jan Meijer
> Cc: Patrik Fältström; ncc-services-wg@localhost db-wg@localhost
> Subject: Re: [db-wg] Re: [ncc-services-wg] X.509 
> authentication in the RIPE Database
> 
> 
> >> so i am supposed to install the RIRs' certs in my browser as root
> >> CAs and ignore the big hole for attack this opens?  i already
> >> *remove* a bunch of root CAs when i bring up a new browser.  this
> >> is the new internet.  get paranoid.
> > I might overlook something but what's the big hole
> 
> someone getting at the root CA key at an RIR
> 
> > Specify 'few'.  As far as I know this it is not cheap to 
> have your PKI
> > signed by one of the 'well-trusted' root CAs.
> 
> maybe not cheap for a student, but an RIR can afford it
> 
> > Or are you suggesting that RIPE should select one of the
> > commercial root CAs and get all the client certificates from that
> > shop?
> 
> no, the RIRs can sign their customers certs.
> 
> maybe a tutorial is needed on how this stuff works.  paf, is there
> one readily available?
> 
> > From a trust point of view it is in fact *better* to consciously
> > import the RIPE root-ca certificate in your browser then to
> > simply trust what's in your root certificate store.
> 
> when the RIRs' procedures to protect their root CA keys are audited
> by third parties who have the expertise to do so.
> 
> randy
>
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community