[governance] The standards about the RPKI are out

Avri Doria avri at acm.org
Wed Feb 8 10:42:05 EST 2012 

Hi,

Thanks again. 

This does bring up the question: to what extent with this capability be implemented by the equipment providers and to what extent doe people expect it to be deployed.  Is thee already good lots of running code and trial implementations.    Are ISPs buying into it and ready to test and deploy?

Also, are you arguing that there is nothing to be seen here, and we should just move on because there is no governance issue that needs exploration and understanding?  I.e IETF is taking care of it, so we have nothing to be concerned about.

Thanks

avri

On 8 Feb 2012, at 10:30, John Curran wrote:

> On Feb 8, 2012, at 4:03 PM, Avri Doria wrote:
> 
>> Hi John,
>> 
>> Thanks for the pointer, will read the draft.
>> 
>> From my first cursory glance seems like there might be a good governance discussion to be had  that would revolve around this issue and that draft.  I am not sure yet how this draft  indicates that the author's contentions are overcome by events, but I will look for that understanding in my reading.
> 
> Per the referenced specification:
> 
> "  This document describes a mechanism by which an RP may override 
>   any conflicting information expressed via the putative TAs and 
>   the certificates downloaded from the RPKI repository system.
> 
>   To effect this local control, this document calls for a relying party
>   to specify a set of bindings between public key identifiers and
>   resources (IP resources and/or AS number resources) through a text
>   file known as a constraints file. The constraints expressed in this
>   file then take precedence over any competing claims expressed by
>   resource certificates acquired from the distributed repository
>   system. "
> 
> The result of its implementation is that any relying party (including 
> ISPs) can unambiguously determine which information from which trust 
> anchors they will believe, directly addressing the item raised in author's 
> contention ("As long as it is unclear how RPKI achieves compatibility 
> among multiple roots, it is disingenuous to pretend that RPKI allows 
> ISPs a free choice of trust anchors")
> 
> Now, it is also the case that the understanding necessary to actually 
> configure these constraints to override any received TA information is 
> quite technical due to the nature of the PKI system, and thus non-trivial 
> to implement.  This will definitely inhibit capricious use, but won't get 
> in the way from ISPs putting appropriate entries in place if an egregious 
> act required intervention.
> 
> FYI,
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
> 
> ____________________________________________________________
> You received this message as a subscriber on the list:
>     governance at lists.igcaucus.org
> To be removed from the list, visit:
>     http://www.igcaucus.org/unsubscribing
> 
> For all other list information and functions, see:
>     http://lists.igcaucus.org/info/governance
> To edit your profile and to find the IGC's charter, see:
>     http://www.igcaucus.org/
> 
> Translate this email: http://translate.google.com/translate_t


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list