changed a feature, not a bug
This commit is contained in:
parent
74d2ca709b
commit
021e012d36
1 changed files with 12 additions and 10 deletions
|
|
@ -77,7 +77,7 @@
|
||||||
collectively known as Internet Number Resources (INRs). Since
|
collectively known as Internet Number Resources (INRs). Since
|
||||||
initial deployment, the RPKI has grown to include other similar
|
initial deployment, the RPKI has grown to include other similar
|
||||||
resource and routing data, e.g. Router Keying for BGPsec, <xref
|
resource and routing data, e.g. Router Keying for BGPsec, <xref
|
||||||
target="RFC8635"/>.</t>
|
target="RFC8635"/>.</t>
|
||||||
|
|
||||||
<t>In security terms, the phrase "Public Key" implies there is also
|
<t>In security terms, the phrase "Public Key" implies there is also
|
||||||
a corresponding private key <xref target="RFC5280"/>. The RPKI's
|
a corresponding private key <xref target="RFC5280"/>. The RPKI's
|
||||||
|
|
@ -92,16 +92,18 @@
|
||||||
|
|
||||||
<t>It has been suggested that one could authenticate real-world
|
<t>It has been suggested that one could authenticate real-world
|
||||||
business transactions with the signatures of INR holders. E.g.
|
business transactions with the signatures of INR holders. E.g.
|
||||||
Bill's Bait and Sushi could use their AS in the RPKI to sign a
|
Bill's Bait and Sushi could use the private key attesting to
|
||||||
Letter of Authorization (LOA) for some other party to rack and stack
|
ownership of their AS in the RPKI to sign a Letter of Authorization
|
||||||
hardware owned by BB&S. Unfortunately, this is not formally
|
(LOA) for some other party to rack and stack hardware owned by
|
||||||
feasible.</t>
|
BB&S. Unfortunately, while this may be technically possible, it
|
||||||
|
is neither appropriate nor meaningful.</t>
|
||||||
|
|
||||||
<t>The I in RPKI actually stands for "Infrastructure," as in
|
<t>The I in RPKI actually stands for "Infrastructure," as in
|
||||||
Resource Public Key Infrastructure, not for "Identity". In fact,
|
Resource Public Key Infrastructure, not for "Identity". In fact,
|
||||||
the RPKI does not provide any association between INRs and the real
|
the RPKI does not provide any association between INRs and the real
|
||||||
world holder(s) of those INRs. The RPKI provides authorization to
|
world holder(s) of those INRs. The RPKI provides authorization to
|
||||||
speak for the named IP address blocks and AS numbers.</t>
|
make assertions only regarding named IP address blocks, AS numbers,
|
||||||
|
etc.</t>
|
||||||
|
|
||||||
<t>In short, avoid the desire to use RPKI certificates for any
|
<t>In short, avoid the desire to use RPKI certificates for any
|
||||||
purpose other than the verification of authorizations associated
|
purpose other than the verification of authorizations associated
|
||||||
|
|
@ -120,10 +122,10 @@
|
||||||
among other issues, it would expose the Certification Authority (CA)
|
among other issues, it would expose the Certification Authority (CA)
|
||||||
to liability.</t>
|
to liability.</t>
|
||||||
|
|
||||||
<t>That the RPKI does not authenticate real-world identity is a
|
<t>That the RPKI does not authenticate real-world identity is by
|
||||||
feature, not a bug. If it tried to do so, aside from the liability,
|
design. If it tried to do so, aside from the liability, it would
|
||||||
it would end in a world of complexity with no proof of termination,
|
end in a world of complexity with no proof of termination, as X.400
|
||||||
as X.400 learned.</t>
|
learned.</t>
|
||||||
|
|
||||||
<t>Registries such as the Regional Internet Registries (RIRs)
|
<t>Registries such as the Regional Internet Registries (RIRs)
|
||||||
provide INR to real-world identity mapping through whois and similar
|
provide INR to real-world identity mapping through whois and similar
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue