Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: Sandy Murphy
  • Date: Wed Nov 23 19:46:11 2005

>in operation, this means that there could be isp- (or ufo-)centric
>isp identity certification (a la web of trust, for example) which
>could have a very separate cert chain from that of address space
>allocation, which, aside from the legacy issue, could come via the
>rirs.

So when one receives an update, which part is it that you verify with
the certificate derived from the RIR chain and which part is it that you
verify with the certificate derived from the web-of-trust?  I'm guessing
the answer in part is that there's a signature attesting to the
prefix origination based on the RIR-rooted certificate, but I'm not
certain what you are suggesting you would sign with the web-of-trust
based ISP identity certificate (the origination announcement, indicating
that it is not only authorization to originate but also source
authentication?)

If the RIR-rooted certificate says that ISP XYZ is allocated prefix P,
does the web-of-trust ISP identify certificate have to say exactly
"ISP XYZ"?  Is that exact match the link between what the RIR-rooted
cert is proving and what the web-of-trust identify cert is proving?

--Sandy




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.