randy/draft-rpki-has-no-identity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

changed a feature, not a bug

Browse source
This commit is contained in:
Randy Bush 2022-03-17 08:26:14 -07:00
parent 74d2ca709b
commit 021e012d36
1 changed files with 12 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

20
draft-ietf-sidrops-rpki-has-no-identity.xml
View file

@ -92,16 +92,18 @@
<t>It has been suggested that one could authenticate real-world
business transactions with the signatures of INR holders. E.g.
Bill's Bait and Sushi could use their AS in the RPKI to sign a
Letter of Authorization (LOA) for some other party to rack and stack
hardware owned by BB&amp;S. Unfortunately, this is not formally
feasible.</t>
Bill's Bait and Sushi could use the private key attesting to
ownership of their AS in the RPKI to sign a Letter of Authorization
(LOA) for some other party to rack and stack hardware owned by
BB&amp;S. Unfortunately, while this may be technically possible, it
is neither appropriate nor meaningful.</t>
<t>The I in RPKI actually stands for "Infrastructure," as in
Resource Public Key Infrastructure, not for "Identity". In fact,
the RPKI does not provide any association between INRs and the real
world holder(s) of those INRs. The RPKI provides authorization to
speak for the named IP address blocks and AS numbers.</t>
make assertions only regarding named IP address blocks, AS numbers,
etc.</t>
<t>In short, avoid the desire to use RPKI certificates for any
purpose other than the verification of authorizations associated
@ -120,10 +122,10 @@
among other issues, it would expose the Certification Authority (CA)
to liability.</t>
<t>That the RPKI does not authenticate real-world identity is a
feature, not a bug. If it tried to do so, aside from the liability,
it would end in a world of complexity with no proof of termination,
as X.400 learned.</t>
<t>That the RPKI does not authenticate real-world identity is by
design. If it tried to do so, aside from the liability, it would
end in a world of complexity with no proof of termination, as X.400
learned.</t>
<t>Registries such as the Regional Internet Registries (RIRs)
provide INR to real-world identity mapping through whois and similar