On Mon, May 6, 2019 at 1:45 AM Owen DeLong <[email protected]> wrote: > Well, this might pose one small problem… ARIN doesn’t approve (or disprove) > any other RIR’s RPKI, nor does it have any authority or basis for doing so.
Perhaps this represents a design issue in the RPKI that would likely be addressed in due time, then, before promulgating the protocol any further...? That the individual RIRs' should not each have their own separate instance of a root of the resource PKI in the first place (which each router would then need to load). There should instead be a single root authority; much like what exists is for the DNS root signing key for DNSSEC. And the root CA certificate's signing key used to sign an intermediate root CA, from which each RIR receives a certificate signed by the intermediary that grants CA authority for signing only certificates that are limited to signing only certificates that can only validate for IP Number resources contained in the list of IPv4 and IPv6 blocks and AS number ranges, which are from the list of the blocks that have been allocated by IANA to the respective parent RIR. Instead of referring to "an ARIN Approved RPKI"; one would mention "A particular global RPKI" > Some of us prefer the global internet rather than dividing it up into 5 > regional internets. > Owen -- -JH _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
