I'm perfectly OK with not necessarily codifying this in the bylaws; you're right in that the bylaws doesn't
spell out admission specifically today.
I guess a meta question is - should it? And if it shouldn't, is this just a topic to bring up at the
community meeting and then ask the board to
On Mon, 12 Sep 2011 04:39:52 -, Marcus Reid said:
You don't have to have the big fat Mozilla root cert bundle on your
machines. Some OSes ship with an empty /etc/ssl, nobody tells you who
you trust.
And for those OS's (who are they, anyhow) that ship empty bundles,
how many CAs do you
On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
If I have a thawte cert for valdis.com on host A and one from comodo
on host B... which is the right one?
You wouldn't have 2 certs for that... I'd have *one* cert for that. And if when
you got to the IP address you were trying to
Hank and everyone,
This is a very interesting problem. As it happens, some folks in the
IETF have anticipated this one. For those who are interested, Paul
Hoffman and Jakob Schlyter have been working within the DANE working
group at the IETF to provide for a means to alleviate some of the
Mike,
On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones m...@mikejones.in wrote:
It will take a while to get updated browsers rolled out to enough
users for it do be practical to start using DNS based self-signed
certificated instead of CA-Signed certificates, so why don't any
browsers have support
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end user.
They see a green address bar with the company's name
-Original Message-
From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua]
I.e. instead of a set of trusted CAs there will be one distributed net
of servers, that act as a cert storage?
I do not see how that could help...
Well, I do not even see how can one trust any certificate
On Monday, September 12, 2011 12:08:56 PM Coy Hile wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end
Steinar,
On Sun, Sep 11, 2011 at 8:12 PM, sth...@nethelp.no wrote:
To pop up the stack a bit it's the fact that an organization willing to
behave in that fashion was in my list of CA certs in the first place.
Yes they're blackballed now, better late than never I suppose. What does
that say
On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers and phishing schemes. Even EV certificates don't help when consumers
Except that this just shifts the burden of trust on to DNSSEC, which also
necessitates a central authority of 'trust'. Unless there's an explicitly
more secure way of storing DNSSEC private keys, this just moves the bullseye
from CAs to DNSSEC signers.
Jason
On Mon, Sep 12, 2011 at 5:30 AM,
In article
CAJNn=DNMrGC42i4Q_Wjvz-i9uV_4w1YnfM8vcX4g_wnXLoT=v...@mail.gmail.com you
write:
Except that this just shifts the burden of trust on to DNSSEC, which also
necessitates a central authority of 'trust'. Unless there's an explicitly
more secure way of storing DNSSEC private keys, this
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have somebody who is not
Randy Bush wrote:
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
If the root DNS keys were compromised in an all DNS rooted world...
unhappiness would ensue in
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up complexity too and makes you wonder
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
Regards,
Martin
On Mon, Sep 12, 2011 at 4:39 AM, valdis.kletni...@vt.edu wrote:
On Sun, 11 Sep 2011 22:01:47 EDT, Christopher Morrow said:
If I have a thawte cert for valdis.com on host A and one from comodo
on host B... which is the right one?
You wouldn't have 2 certs for that... I'd have *one* cert for
Martin Millnert wrote:
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
The perils of coming in late in a
On 13/09/11 01:12, Randy Bush wrote:
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up
Hallo North Americans,
I am from Europe. A contributor on the Centos (the largest Red Hat
clone) list suggested I reposted my ARIN item on your list.
I have a BASH script called .w
It contains
#! /bin/bash
whois $1
host $1
When I type
.w 51.51.51.51
I
On 2011-09-12 17:40 , Always Learning wrote:
Dear person who is to scared to setup a regular email account in his own
full name.
[..]
The Internet was created in North America. Many people around the world
would appreciate your help in getting ARIN to revert to normal WHOIS
displays. ARIN
On Mon, 12 Sep 2011, Jeroen Massar wrote:
On 2011-09-12 17:40 , Always Learning wrote:
Dear person who is to scared to setup a regular email account in his own
full name.
[..]
The Internet was created in North America. Many people around the world
would appreciate your help in getting ARIN
On Mon, 2011-09-12 at 12:32 -0400, Jon Lewis wrote:
No he's not. He's complaining that sometime in the past few weeks (or is
it months now?) ARIN changed the behavior of their whois server. New
output for the query 209.208.0.1 is (omitting comments):
Internet Connect Company, Inc.
That was on June 25th according to Mark Kosters. They started to answer
with both the parent and delegated objects. That hosed the way RWHOIS data
was being reported to most things as the client won't know which to send
through to the rwhois servers. Still works from an old SCO box but not from
On Mon, 12 Sep 2011, Eric Krichbaum wrote:
That was on June 25th according to Mark Kosters. They started to answer
with both the parent and delegated objects. That hosed the way RWHOIS data
was being reported to most things as the client won't know which to send
through to the rwhois servers.
On Mon, Sep 12, 2011 at 12:53 PM, Jon Lewis jle...@lewis.org wrote:
On Mon, 12 Sep 2011, Eric Krichbaum wrote:
That was on June 25th according to Mark Kosters. They started to answer
with both the parent and delegated objects. That hosed the way RWHOIS
data
was being reported to most
On Mon, 2011-09-12 at 18:17 +0200, Jeroen Massar wrote:
On 2011-09-12 17:40 , Always Learning wrote:
Dear person who is to scared to setup a regular email account in his own
full name.
Beste Fuzzel,
Mijn naam is Paul. It was at the bottom of my posting.
Sorry I have never ever had a
On Mon, Sep 12, 2011 at 7:09 AM, Martin Millnert milln...@gmail.com wrote:
Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time. (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country
On Mon, Sep 12, 2011 at 1:39 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Date: Mon, 12 Sep 2011 11:22:11 -0400
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy,
releases updates
From: Christopher Morrow morrowc.li...@gmail.com
I think I need a method that the
On Mon, Sep 12, 2011 at 12:53:47PM -0400, Jon Lewis wrote:
Prepending the query with a + works for me, in that I get the expected
data, but there's additional unexpeced data (full record for the Parent,
even if the Parent is just an ARIN /8) in the output that will probably
still cause
On 12 September 2011 18:39, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Seriously, about the only way I see to ameliorate this kind of problem is
for people to use self-signed certificates that are then authenticated
by _multiple_ 'trust anchors'. If the end-user world raises warnings
for a
Does anybody currently use vyatta as a bgp router for their company? If
so have you ran into any problems with using that instead of a cisco or
juniper router?
On Sep 13, 2011, at 1:42 AM, Ben Albee wrote:
Does anybody currently use vyatta as a bgp router for their company?
The days of public-facing software-based routers were over years ago - you need
an ASIC-based edge router, else you'll end up getting zorched.
The days of public-facing software-based routers were over years ago - you
need an ASIC-based edge router, else you'll end up getting zorched.
wait, what?
--
//fredan
-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Monday, September 12, 2011 11:56 AM
To: North American Network Operators' Group
Subject: Re: vyatta for bgp
On Sep 13, 2011, at 1:42 AM, Ben Albee wrote:
Does anybody currently use vyatta as a bgp router
On 12/09/2011 20:08, Michael K. Smith - Adhost wrote:
How do you come to this conclusion? I think a software-based router for
enterprise level (let's say on the 1G per provider level) can handle a
fair amount of zorching.
I presume by a fair amount, I presume you mean barely any?
At large
On Sep 12, 2011, at 12:35 PM, Nick Hilliard wrote:
On 12/09/2011 20:08, Michael K. Smith - Adhost wrote:
How do you come to this conclusion? I think a software-based router for
enterprise level (let's say on the 1G per provider level) can handle a
fair amount of zorching.
I presume by a
On Sep 13, 2011, at 2:45 AM, Owen DeLong wrote:
In your typical enterprise environment, a 1G DoS will zorch the link long
before it zorches the router at the enterprise side.
This contradicts my experience - I've repeatedly witnessed only a few mb/sec of
64-byte packets making software-based
Subject: Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
Date: Mon, Sep 12, 2011 at 11:46:04AM +0200 Quoting fredrik danerklint
(fredan-na...@fredan.se):
How about a TXT record with the CN string of the CA cert subject in it?
If it exists and there's a conflict,
Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Monday, September 12, 2011 2:56 PM
To: North American Network Operators' Group
Subject: Re: vyatta for bgp
zorched.
---
Zorch. I like that.
On Mon, 12 Sep 2011 20:12:43 -, Dobbins, Roland said:
This contradicts my experience - I've repeatedly witnessed only a few mb/sec
of 64-byte packets making software-based routers fall over, including just
last
month.
On the flip side, there's a *lot* of sites that have to make
On Sep 13, 2011, at 3:34 AM, Chuck Church wrote:
Is the concern over a DDOS aimed against the router itself, or just massive
flows passing through?
Yes, but mainly the former.
;
---
Roland Dobbins rdobb...@arbor.net //
On Mon, 12 Sep 2011 22:31:59 +0200, Måns Nilsson said:
Since you are from Sweden, and in an IT job, you probably have personal
relations to someone who has personal relations to one of the swedes
or other nationalities that were present at the key ceremonies for the
root. Once you've
How about a TXT record with the CN string of the CA cert subject in
it? If it exists and there's a conflict, don't trust it. Seems
simple enough to implement without too much collateral damage.
Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
to
Thanks for the all the feed-back.
We will only have two ipv4 BGP peers (both 5mb/sec links) to the same
ISP. We are doing BGP because we plan to add a second ISP at one of our
locations in the future. We are not any near a large enterprise, this
will be replacing two DSL lines and a T1.
On Sep 13, 2011, at 3:43 AM, Everton Marques wrote:
Would Cisco ISR G2 3925E classify as software-based router?
Yes.
Do you expect it to bend itself down under a few Mbps of 64-byte packets?
Especially if they're directed at the router itself, at some point, sure -
though the ISR2 certainly
On 09/12/11 10:13, Always Learning wrote:
Primarily IP ranges to block and/or abuse email addresses.
https://www.arin.net/participate/mailing_lists/
Thank you. I will try it.
Oh, and there they also like to see your real name and not a junk mail
address. Just like on the RIPE
On Mon, Sep 12, 2011 at 1:52 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Sep 13, 2011, at 3:43 AM, Everton Marques wrote:
Would Cisco ISR G2 3925E classify as software-based router?
Yes.
Do you expect it to bend itself down under a few Mbps of 64-byte packets?
Especially if they're
On 9/12/11 4:58 PM, Michael Sinatra mich...@rancid.berkeley.edu wrote:
On 09/12/11 10:13, Always Learning wrote:
Primarily IP ranges to block and/or abuse email addresses.
https://www.arin.net/participate/mailing_lists/
Thank you. I will try it.
Oh, and there they also like to see your
On Sep 13, 2011, at 4:13 AM, Brent Jones wrote:
A high end ASIC can handle millions/tens of millions PPS, but directed
to the control plane (which is often a general purpose CPU as well,
Intel or PowerPC), probably not in most scenarios.
CoPP.
Brent,
On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones br...@servuhome.net wrote:
Lots of devices can have trouble if you direct high PPS to the control
plane, and will exhibit performance degradation, leading up to a DoS
eventually.
That isn't limited to software based routers at all, it will
Mike Jones m...@mikejones.in wrote:
DNSSEC deployment is advanced enough now to do that automatically at the
client.
Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between
Could be this..?
http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration-statement/independent-domain-edit-routing-options.html
unrecognized transitive attributes depend on whatever code version you are
running... What's more important is how the unrecoginized
On Mon, Sep 12, 2011 at 2:35 PM, Nick Hilliard n...@foobar.org wrote:
I presume by a fair amount, I presume you mean barely any?
At large packet sizes, an enterprise level router will just about handle
a 1G DoS attack. Thing is, bandwidth DoS / DDoS is sufficiently easy to
[snip]
How much
On 9/12/2011 3:12 PM, Dobbins, Roland wrote:
On Sep 13, 2011, at 2:45 AM, Owen DeLong wrote:
In your typical enterprise environment, a 1G DoS will zorch the link long
before it zorches the router at the enterprise side.
This contradicts my experience - I've repeatedly witnessed only a few
On 09/12/11 17:49, Jimmy Hess wrote:
I think arin-discuss would be a better place for this than arin-ppml.
You're suggesting using ARIN's private members-only mailing list over
a public one?
That doesn't make sense, because this is a public issue, not a members issue.
PPML isn't right either,
I e-mailed Marco (md) the creator of 'whois' back in July when this started
and he stated he was going to try to work around the rWHOIS issue in the
next release. Sadly there hasn't been a new release yet but I am hopeful.
58 matches
Mail list logo