Inline. > > On Dec 6, 2012, at 5:54 PM, Arturo Servin wrote: > >> Eric >> >> Chris said much better than me. Hosted rpki is like the "go-daddy" of >> RPKI. It is intended as a bootstraping solution to take rpki up. > > Maybe you can help me answer the questions I posed in my last email then? > :-P >
I tried, but may be I was not clear. >> The hosted solution is not aimed to everybody, it is aimed to >> small/medium operators that otherwise would struggle to sign their >> resources, run a CA, and run a repository. > > How do they get their private keys from you? This is important to think > through _now_ before it becomes an operational blackhole... "If a hosted ISP wants to go to up/down and run their own CA they can do that with a key-rollover and a "make before break" strategy." In other words, you cannot. You can generate your own and make-before-break by publishing your new shiny cert with your own CA and then revoking the old one. >Also, what > happens if you get DDoS'ed and I need your services? In DNS, there are a > lot of registrars to choose from, and no single point of failure... There could be more hosted providers. RIRs are by not means the only ones. In fact, it would be very similar to the registry-registar model. >The > RIRs are not as plentiful in numbers as them, so you are a higher value > target this way... The whole scenario does not seem to different to me if you host your DNS services and your registrar/hosted are DDoSed and you cannot change your NS records. And in the same fashion to DNS hosted solutions, RPKI-hosted are aimed to specific organizations. If you want to be independent from any hosted solution, run your own DNS servers or your own CA. The fact that hosted solutions are not DDoS resistant today does not mean that they cannot be in the future. > >> Large operators DO NOT need to use the hosted solution, they can if >> they want but they can run their own CAs and they should. > > Anyone who uses you would need these services, it seems like it would be > worth working out the ``what ifs,'' no? This (RPKI in general, repositories, hosted solution) is very new and still evolving. I take your concerns very seriously and a value input for improvement. > >> About the EE certs for router I didn't explain correctly. Hosted >> solution do not have it now because they haven't been defined yet (we >> are still arguing about BGPSEC specs). However, in the moment that the >> specs are ready router certs will be supported. > > If we've enshrined operations and practices (i.e. the hosted/HSM model) > because we didn't think through the complexities, and that later impedes > our needs, then we have been negligent. This seems like a pretty serious > problem and it ought to be worked out now before we decide people should > be doing the hosted anything. I found a bit hard to engineer a system without specs. I thought that this thread was about precisely about BGPSEC specs. Once we have the specs, then hosted-rpki solutions can incorporate them. > > Eric Regards, /as _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
