At 11:07 AM -0500 12/9/08, Heather Schiller wrote:
Stephen Kent wrote:
Steve
P.S. Irrespective of my analysis above, yes, I do prefer a
singly-rooted PKI, with IANA as the only TA, but I can live with a
set of TAs so long as I can count them on my fingers, and they all
are authoritative for the resources in question :-).
_______________________________________________
Steve, That's the concern -- what happens if 2 RIR's assert
authority to the same resource?
--Heather
If two RIRs claim to be authoritative for the same address block, and
if they both allocate that block to lower tier entities (e.g., ISPs),
then certs and ROAs issued by those entities will validated by RP
software using the default TA set. Note, though that an equivalent
problem can arise of one RIR accidentally allocates the same block to
two ISPs. We can't reliably detect and automatically reject this,
because when address space transfers are in process, they look the
same (in terms of RPKI objects).
Yes, it would be preferable if we had a way to detect inter-RIR
conflicts when they represent errors. There is at least one possible
solution to this, even if both IANA and the RIRs are represented as
"default" or "nominal" trust anchors, but it would be cleaner if IANA
was the sole TA.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
