At 3:07 PM -0500 1/19/12, Eric Osterweil wrote:
...
Like I said, this is not something I (personally) feel the need to
rehash here. If those on the other thread ("[sidr] I-D Action:
draft-ietf-sidr-rpki-rtr-23.txt") were content w/ its resolution, so
be it. But, iirc, there seemed to be some... lingering
disagreement, no?
I think there was confusion re this topic, and that the RYR protocol
doc could be improved by adding text in the security considerations
section to clarify the trust model envisioned by the authors.
...
I just took a read through that draft, thanks for the pointer! :)
you're welcome.
OOC, were you all imagining that the CMC authentication for these
BGPsec routers would use a shared secret or a pre-installed
certified key o each remote router? Also, do you happen to know
which nation states require key escrow these days?
This is a local matter, so each ISP can decide what approach they
wish to adopt. I personally prefer installing the cert for the CA.
When key escrow has been required, it has usually been mandated for
keys used for encryption, not for integrity or authentication. Since
we're discussing integrity & authentication here, it is not clear
that there are any applicable key escrow regulations. Also, the IETF
general policy has been to ignore any nation-specific crypto
regulations when developing standards.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
