Re: [routing-wg]2008-04 New Policy Proposal (Using the Resource Public Key Infrastructure to Construct Validated IRR Data)
-
To: Rob Evans rhe@localhost, Randy Bush randy@localhost, Kurt Erik Lindqvist kurtis@localhost
-
From: Geoff Huston gih@localhost
-
Date: Wed, 30 Apr 2008 07:54:16 +1000
Rob Evans wrote:
Folks,
PDP Number: 2008-04
Using the Resource Public Key Infrastructure to Construct Validated
IRR Data
We have ourselves a policy proposal. :)
The discussion here should concentrate on whether it is useful to
construct an IRR out of certified resources placed in the RPKI.
It may also be useful to consider this in the light of alternative
approaches where the RPSL object is signed by the resource holder,
using a signing certificate that is validatable in the context of
a resource PKI. In this case the certificates in the RPKI would
be used to validate that the object that was retrieved from the IRR
was signed by the current holder of the resources that are described
in the object, has not been altered or tampered in any way, and
that trust in the validity of the object is no longer based just
on the admission and management policies of the registry.
Using digitally signed attestations to synthesise IRR objects, as
per this proposal, and adding digital signatures to the IRR objects
appear to be alternate paths in the overall direction of adding
some mechanisms of explicit validation of IRR objects.
What classes of IRR objects could be generated using the approach of
generating IRR objects from RPKI data?
regards,
Geoff
|
you are here: RIPE -> RIPE Maillists > Archives
