At 1:38 PM -0500 12/9/08, Heather Schiller wrote:
...
It sounds like you are suggesting that it is up to the operator to
decide who is authoritative for a set of resources. This seems
illogical because the operator doesn't control the resources and who
is authoritative for them. Deciding which RIR should be
authoritative for a resource is non trivial and should not be left
up to individual operators. Appointing a single TA - and having it
delegate downward resolves this conflict. ..alternatively find some
other way to ensure that multiple TA's can not have a conflict.
--Heather
Heather,
In ANY PKI, each RP is always the final arbiter of who he/she
perceives to be authoritative. The best we can do here is to provide
a default TA (or set of TAs), that are easy for RPs to adopt, and
that reflect the extant resource allocation system. That's what we
have done, almost :-).
I have a lot of exposure to attempts to create PKIs that cross
organizations boundaries, in various parts of the world. Compared the
other efforts with which I am familiar, this is a very, very good
effort. We have avoided creating third parties to act as CAs. We
don't have bridge CAs (which could not work with the 3779 path
validation description). We're debating the downside of offering 6
TAs, all of which are legitimate, authoritative entities in the
resource allocation system, vs 1. I think we're pretty close.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
