[governance] The standards about the RPKI are out

John Curran jcurran at arin.net
Wed Feb 8 10:30:25 EST 2012 

On Feb 8, 2012, at 4:03 PM, Avri Doria wrote:

> Hi John,
> 
> Thanks for the pointer, will read the draft.
> 
> From my first cursory glance seems like there might be a good governance discussion to be had  that would revolve around this issue and that draft.  I am not sure yet how this draft  indicates that the author's contentions are overcome by events, but I will look for that understanding in my reading.

Per the referenced specification:

"  This document describes a mechanism by which an RP may override 
   any conflicting information expressed via the putative TAs and 
   the certificates downloaded from the RPKI repository system.

   To effect this local control, this document calls for a relying party
   to specify a set of bindings between public key identifiers and
   resources (IP resources and/or AS number resources) through a text
   file known as a constraints file. The constraints expressed in this
   file then take precedence over any competing claims expressed by
   resource certificates acquired from the distributed repository
   system. "

The result of its implementation is that any relying party (including 
ISPs) can unambiguously determine which information from which trust 
anchors they will believe, directly addressing the item raised in author's 
contention ("As long as it is unclear how RPKI achieves compatibility 
among multiple roots, it is disingenuous to pretend that RPKI allows 
ISPs a free choice of trust anchors")

Now, it is also the case that the understanding necessary to actually 
configure these constraints to override any received TA information is 
quite technical due to the nature of the PKI system, and thus non-trivial 
to implement.  This will definitely inhibit capricious use, but won't get 
in the way from ISPs putting appropriate entries in place if an egregious 
act required intervention.

FYI,
/John

John Curran
President and CEO
ARIN


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list