shane,
going through the mailbox to pick up any un-addressed issues, i came
across your comment
> what I've been attempting to ask here is how one configures, in one's
> _local_ RPKI cache (that syncs to the outside world), /where/ the
> RIR's publication points are on Day 1. Do I contact one RIR (which
> maintains a list of other RIR's publication points) -or- each RIR
> individually to ask what is their publication point? (If you can help
> provide an answer as to what is the expectation on the operator, I can
> then potentially help to provide text).
i think there are a number of issues here
o the general issue of how one gets trusted trust anchor(s),
presumably out of band. this problem is not unique to the rpki, so
maybe we can get some help/clue here from the four or five steves in
the group.
o i do not see a reason to trust TAs shipped with software any more
than TAs from any other random source.
o one hopes that the current pathetic joke of having five RIR TAs will
pass. there is a long history of failing to really 'solve' a layer
nine cf at layers seven and below.
o the answer "iana will publish the root ta and sign it with their pgp
key" may be a bit too glib because ...
o we have an analogous problem for the operator who wants to use the
global rpki, an lta rpki, and a private ta for 1918 or whatever.
especially if the lta is built by a third party.
but i think that all this bs boils down to how to distribute a TA out of
band. all pkis have this problem, dnssec has this problem, ... i would
love to hear from the steves on this.
randy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
