[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Larry J. Blunk
ljb at merit.edu
Wed Jul 16 18:20:08 CEST 2003
On Mon, 2003-07-14 at 05:15, George Michaelson wrote: > On Mon, 14 Jul 2003 07:47:11 +0200 Patrik Fältström <paf at cisco.com> wrote: > > > On måndag, jul 14, 2003, at 02:53 Europe/Stockholm, Sanjaya wrote: > > > > > Yes we run our own root-CA, and the first step is for the client > > > to install APNIC root CA in its trusted root store. > > > > Good. > > > > > We're using the OpenCA software (www.openca.org) and modify > > > it to suit our purpose. When we issue a certificate, an e-mail > > > containing download url + instruction is sent to the requestor. > > > > ...which imply each customer/user of yours have to get a certificate > > from you which they are to use in the communication with you? > > > > paf > > > > Yes. > > There are open questions here, about capabilities in the wider community to > understand PKI, and also about the nature of certification: right now we are > only doing identity certificates for people, but we are using them to > gateway access into I.T. Systems, which makes them agents for authorization as > well as authentication. They are being presented to SSL enabled webservers, > which then use the identity knowledge to decide to enable/permit a privileged > operation like a whois object update. Right now, the APNIC model has stored > tokens in the web database backend, but we'd expect that we could bypass those, > if we took the PKI model all the way to the whois. > > When we discuss PKIX, and things like S-BGP or SO-BGP, it introduces questions > about how we will tie certificates to resources, what are the properties of the > certificate we need to play with to represent the resource, how 'unitary' are > these assertions or can they authenticate a range, and bless instances of the > sub-range as well.. This is an area we are going to need to discuss widely. > > The Lynn/Kent/Seo draft on X.509 Address and AS identifiers in certificates is > the first document I've seen coming from the IETF which treads into this area > and I think the RIR community needs to review and participate in this > discussion. > > draft-ietf-pkix-x509-ipaddr-as-extn-01.txt > > cheers > -George The following Internet Draft was published a few weeks ago -- http://www.ietf.org/internet-drafts/draft-weis-sobgp-certificates-00.txt It employs a "web of trust" model. The exact role of the RIR community under this model seems to be somewhat murky. -Larry Blunk
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]