Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: william(at)elan.net
  • Date: Wed Nov 23 20:56:47 2005


On Thu, 24 Nov 2005, George Michaelson wrote:

According to what I understand, there have to be two certificates per
entity:

	one is the CA-bit enabled certificate, used to sign subsidiary
	certificates about resources being given to other people to use.

	the other is a self-signed NON-CA certificate, used to sign
	route assertions you are attesting to yourself: you make this
	cert using the CA cert you get from your logical parent.
So how is the 2nd one different from the first? In both cases you give
permission to certain use of a resource under your control. If you look
at it the only difference is:
- To authorize reallocations you sign request based on another entity's
ORG object,
- To authorize announcement you sign request based on another entity's
ASN object (can be your own ASN).

But in general ASN object is also basically a type of ORG with extra data
(i.e. ASN# and ASN name), so I don't see why you can't use one cert (if
somebody does not list AS# for their org I guess they can't route independently).

--
William Leibzon
Elan Networks
william@elan.net




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.