North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Validating rights to announce a prefix
Okay, I admit I haven't paid the closest attention to RPKI, but I have to ask: Is this a two-way shared-key issue, or (worse) a case where we need to rely on a central entity to be a key clearinghouse?
I must point out that HTTPS is still in PKI land - it's just "another one", inviting otherwise unrelated parties (like Verisign et al.) into the system.
As for how the address owner delegates the right to announce a prefix, they could either operate their own database and
The principles for this are included in the SIDR efforts.
People are too hung up on cryotographically secure PKI systems which are way overkill for this problem. In fact, it should be possible to design an architecture that allows for an easy upgrade to PKI if it should be determined at some future date, that PKI is necessary.
It's hard to switch to a more secure method later on if you start with a less secure one. So, "upgrading" to PKI from something else only makes sense if that previous system was secure enough - but then why would you want to change?