randy/draft-rpki-has-no-identity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

changed a feature, not a bug

Browse source
This commit is contained in:
Randy Bush 2022-03-17 08:26:14 -07:00
parent 74d2ca709b
commit 021e012d36
1 changed files with 12 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

20
draft-ietf-sidrops-rpki-has-no-identity.xml
View file

@ -92,16 +92,18 @@
<t>It has been suggested that one could authenticate real-world <t>It has been suggested that one could authenticate real-world
business transactions with the signatures of INR holders. E.g. business transactions with the signatures of INR holders. E.g.
Bill's Bait and Sushi could use their AS in the RPKI to sign a Bill's Bait and Sushi could use the private key attesting to
Letter of Authorization (LOA) for some other party to rack and stack ownership of their AS in the RPKI to sign a Letter of Authorization
hardware owned by BB&amp;S. Unfortunately, this is not formally (LOA) for some other party to rack and stack hardware owned by
feasible.</t> BB&amp;S. Unfortunately, while this may be technically possible, it
is neither appropriate nor meaningful.</t>
<t>The I in RPKI actually stands for "Infrastructure," as in <t>The I in RPKI actually stands for "Infrastructure," as in
Resource Public Key Infrastructure, not for "Identity". In fact, Resource Public Key Infrastructure, not for "Identity". In fact,
the RPKI does not provide any association between INRs and the real the RPKI does not provide any association between INRs and the real
world holder(s) of those INRs. The RPKI provides authorization to world holder(s) of those INRs. The RPKI provides authorization to
speak for the named IP address blocks and AS numbers.</t> make assertions only regarding named IP address blocks, AS numbers,
etc.</t>
<t>In short, avoid the desire to use RPKI certificates for any <t>In short, avoid the desire to use RPKI certificates for any
purpose other than the verification of authorizations associated purpose other than the verification of authorizations associated
@ -120,10 +122,10 @@
among other issues, it would expose the Certification Authority (CA) among other issues, it would expose the Certification Authority (CA)
to liability.</t> to liability.</t>
<t>That the RPKI does not authenticate real-world identity is a <t>That the RPKI does not authenticate real-world identity is by
feature, not a bug. If it tried to do so, aside from the liability, design. If it tried to do so, aside from the liability, it would
it would end in a world of complexity with no proof of termination, end in a world of complexity with no proof of termination, as X.400
as X.400 learned.</t> learned.</t>
<t>Registries such as the Regional Internet Registries (RIRs) <t>Registries such as the Regional Internet Registries (RIRs)
provide INR to real-world identity mapping through whois and similar provide INR to real-world identity mapping through whois and similar