The drafts discuss which objects it makes sense to sign, a canonicalization order for the fields to be signed, a format like DKIM for specifying the fields being signed, and thus defining what is not being signed, and pointers to the public key certificate objects which in system help you identify the RPKI signing chain authority over the signatures.
I don't see what your problem is. If somebody defines an RPSL BANK-CHEQUE: object, then presumably a simple yes/no question eventuates: does this object relate to any internet number resources? If not, then it doesn't seem a good candidate for being signed over in a PKI. if it does, then I really think its in -system. I think you're using a very big hammer of 'Randy says no' to hit a very small nail of 'lets see if we can define sensible specs for PKI signing over RPSL' They are smart guys. I think they can bring a problem to the table. -G On Fri, Aug 23, 2013 at 9:42 AM, Randy Bush <[email protected]> wrote: > > Here's hoping that others follow your lead in replying promptly. > > ok, if you really wish > > > From: George Michaelson > > I believe this work is important and should continue, and be adopted > > by the WG as a deliverable. RPKI has the capability to provide PKI > > assurance over information which lies outside of BGP, as well as > > informing BGP, and I think constructing the appropriate formalisms > > over signing of RPSL objects will materially enhance trust in the > > statements made in RPSL, relating to internet number resources. > > it's a pki and has keys. so the keys in it could be used to sign bank > transactions. that does not mean we should do so. > > the trust model of the rpki is that of a hierarchy of prefix ownership. > the rpsl has objects for which prefixes have no authority. that the > rpsl has no inherent trust path has led to one being patched on in some > implementations in a rather half-assed manner. adding another > authorization model on top of that is not gonna make it any cleaner. > > this is trying make a silk purse out of a sow's ear. > > but you can put a sow's ear in a silk purse, well kinda > > $ whois -h whois.rpki.net 147.28.0.0 > route: 147.28.0.0/16 > descr: 147.28.0.0/16-16 > origin: AS3130 > notify: [email protected] > mnt-by: MAINT-RPKI > changed: [email protected] 20130414 > source: RPKI > > randy, who was a poster child for the rps for many many years > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr >
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
