Eric,
Just for the sake of clarity.
Not sure if I understand, but hosted system does not work 100% in the
way that you described.
Yes, the hosted keep your private key, but you can modify your ROAs
anytime you want. At least the hosted systems that I know provide a web
interface to do that. The ROA would be published immediately or a few
minute/hours later, depending of the rpki-operator (my personal view and
with my network operator hat on is that it should be immediately or in
minutes).
You could argue that effectively the hosted system "does it for you"
and "you require conversation with them", but the way described is a bit
misleading because it gives the impression that it is a slow or
human-driven process when in reality its not.
As for EE cert for routers those do not exist yet in the rpki-operator
systems (AFAIK), so anything here would be a guess.
Cheers
/as
On 06/12/2012 15:55, Eric Osterweil wrote:
> What is this statement based on?
> ``The stub ASes are likely to only run simplex bgpsec and they would
> likely contract out publication''
> Also, each hosted instance that is _not_ flat still needs infrastructure
> objects (GB, Mft, CA, etc) + DNS domain name + Also a noteworthy point about
> your hosted model ( ;) ) is that hosted models remove resource holders'
> abilities to manage their own information directly. That is, if I have you
> host my info, and you have my private key, you likely cannot give that key to
> me for me to make my own operational changes (if you have it in an HSM, that
> private key cannot be shared). So, I (as a resource holder) cannot author
> changes to my (say) ROA, or create new router EE certs unless _YOU_ do it for
> me. So, right now, that would require conversations like, ``hey ARIN, can
> you generate a new ROA for me since I have a new feasible origin?'' (no big
> deal), but in the future that would be, ``hey ARIN, can you create a new EE
> cert for my router, and send me both the pub/priv key pair so I can configure
> a new router (or $n$ new routers)?'' I'd hazard that _this_ is a much bigger
de
> al, especially with the need for a private key exchange. One more
> complexity to note. ;)
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
