Hey all, On Dec 7, 2012, at 2:31 PM, "Carlos M. martinez" <[email protected]> wrote: > Hey Chris et al, > > On 12/07/2012 03:34 AM, Christopher Morrow wrote: > ... snip ... > >> I think somewhere 5-8 messages back Arturo's note that: >> 1) hosted model is just a crutch >> 2) hosted model isn't intended for everyone to use >> 3) most large ISP or large operations groups are expected to run their own >> CA >> >
Hosted model is ambiguous. Please differentiate between hosted CAs and centralised repository server. Some people, like Carlos wrt UI vs publishing, do, but not everywhere in this thread.. The pros and cons for hosted CAs and 'hosted' repositories are different. Current hosted solutions combine the two, but this is not necessarily the case in future. E.g. an organisation might choose to run their own non-hosted CA, but publish in one, or more (yeay..) central repositories. > The hosted model is just about right for probably around ~80% of the > routing participants out there. I don't think it's just a crutch, I > think it answers a real community (or should I rather say, market) > demand. It might have started as one, but IMO it hit a nail in the head. +1 from our experience rolling this out. > Let's face it: Most sites out there are not as technology-literate as we > might light them to be. The dangers of screwing their own CA, losing > their keys and mismanaging their publications are much higher if their > host their own than if they trust a specialized third party. > > Hosted fills a gap. Sure, I don't think France Telecom, Verizon or > Telmex should use hosted, they can do better. But the folk holding one > AS, a /48 and a couple of IPv4 /22s, well, they are mostly better off > using hosted. > In a way people are used to this. Lots of sites are already used to 'hosted' whois, IRR etc. > The good thing here is that hosted is _optional_ (I think we are > forgetting about this fact in all of this discussion). If you don't want > it and want to get your feet wet, please go up/down. Non-hosted is an option in our pilot, but so-far we say very little demand for it. We have four members playing with non-hosted in our pilot environment vs 1200+ using the the hosted model in production. This includes big organisations. >> coupled with eric's notes that: >> 1) hosted seems fragile for lots of operations >> 2) people should think long and hard about using the hosted model of >> controlling their own fate >> >> gets the general gist of my point: "If you use the hosted model you >> are equivalently outsourcing your Mail/SMTP infrastructure to another >> person, be sure you want to do that..." > > Agree, people are still responsible for making conscious decisions. > Then, taking your example, how many small ops right now host their own > email? Probably not many. Benefits of non-hosted CA: - you have your own keys => in hosted a security breach can in principle let others do things with your keys like issue/revoke ROAs - little risk of *your* ui being DDoS-ed Benefit of hosted: - low cost, easy to enable, no need to run your own (complex) systems @Erik's remark regarding hosted HSMs. As Carlos said: we would also allow people to migrate between hosted and non-hosted: temporarily signing certs to both CAs, just for the time of transition. Non-hosted CA management may well pick up one day, but imho this depends on uptake of RPKI for secure routing, and the availability of easy-to-use non-hosted solutions. Present day the benefit of doing this yourself is not clear enough to warrant the cost. If benefit goes up and cost goes down this might change. Comparing to the DNSSec world, imagine appliance boxes that network operators can put in a rack that let them do this.. Without this I seriously doubt there will be significant uptake of non-hosted. And without uptake of hosted I see no business case for vendors to build these things.. With regards to non-hosted publication…. In the current RPKI & sidr model (and I haven't seen a comprehensive alternative -- echo comment by Tony Tauber) objects will have to be downloaded. Having many small self-managed repositories does not seem the best way forward to me. It's difficult for relying party tools, it's likely that many of them will be poorly run and/or easy targets for more localised attacks. I see more in having a number of large repositories and allowing CAs to publish in more than one place to mitigate the risks of one of them being unavailable. Plus of course a set of 2.0 repository standards that give these repositories a fighting chance to achieve high-availability without having to re-invent the wheel here, and roll out 10s-100s of rsync servers across the globe. Think using tested and proven industry technology.. Like using immutable data, http, CDNs etc. When is the last time your googlebookcnnbbc website was completely unreachable? Tim > Warm regards, > > ~Carlos > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
