IETF Logo Mail Archive

Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))

Randy Bush <randy@psg.com> Sat, 05 May 2012 03:46 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9905211E8081 for <sidr@ietfa.amsl.com>; Fri, 4 May 2012 20:46:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuqKQIPHNHjP for <sidr@ietfa.amsl.com>; Fri, 4 May 2012 20:46:56 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF4B11E8072 for <sidr@ietf.org>; Fri, 4 May 2012 20:46:56 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <randy@psg.com>) id 1SQVxP-0006r8-Ec; Sat, 05 May 2012 03:46:55 +0000
Date: Fri, 04 May 2012 17:46:54 -1000
Message-ID: <m2pqaje1ch.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Chris Morrow <morrowc@ops-netman.net>
In-Reply-To: <4FA49734.5090504@ops-netman.net>
References: <CE0C4A314044C843AEE900875D90D54E1084E0@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <4FA49734.5090504@ops-netman.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2012 03:46:56 -0000

> "From there, we can discuss the issue of, for example, HOW TO onboard
>  and purge signing and validating certificates to routers from the RPKI
>  [I suspect the intention was to use rpki-rtr protocol for this, but it
>  doesn't currently support it, nor are the security implications clear]."

it is very hard to understand this, but this is my guess.

certificates do not sign, keys do, and not the public keys which are in
the certificates, but the corresponding private keys.

the public keys used to validate bgpsec signatures are in router ee
certs in the rpki.  indeed some of the router ee cert's data will need
to be in validating routers.  indeed there currently is no specification
for how this is done.  indeed, the rpki-rtr protocol could be extended
to do this, should be trivial.

but, until we have the bgpsec protocol nailed down a bit further, this
would be premature.

and i have said this at least once before, though possibly in private
email to danny.

randy

v2.30.2 | Report a Bug | By Email | System Status