IETF Logo Mail Archive

Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))

Chris Morrow <morrowc@ops-netman.net> Sat, 05 May 2012 03:04 UTC

Return-Path: <morrowc@ops-netman.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DD5F21F847D for <sidr@ietfa.amsl.com>; Fri, 4 May 2012 20:04:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oN7YiK14fTfP for <sidr@ietfa.amsl.com>; Fri, 4 May 2012 20:04:51 -0700 (PDT)
Received: from mailserver.ops-netman.net (mailserver.ops-netman.net [IPv6:2001:470:e495:fade:5054:ff:fe79:69db]) by ietfa.amsl.com (Postfix) with ESMTP id 223C721F8473 for <sidr@ietf.org>; Fri, 4 May 2012 20:04:51 -0700 (PDT)
Received: from [192.168.1.125] (c-98-204-226-233.hsd1.va.comcast.net [98.204.226.233]) (Authenticated sender: morrowc@OPS-NETMAN.NET) by mailserver.ops-netman.net (Postfix) with ESMTPSA id 3A65F3202F6; Sat, 5 May 2012 03:04:50 +0000 (UTC)
Message-ID: <4FA498D1.7060201@ops-netman.net>
Date: Fri, 04 May 2012 23:04:49 -0400
From: Chris Morrow <morrowc@ops-netman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120410 Thunderbird/11.0.1
MIME-Version: 1.0
To: Jakob Heitz <jakob.heitz@ericsson.com>
References: <4FA48240.9060405@ops-netman.net> <CE0C4A314044C843AEE900875D90D54E10847F@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <CAL9jLaZMkT-F5x5LAsjDhXsNnbG9akLhEotwT-eC=-6yX0J0kw@mail.gmail.com> <7309FCBCAE981B43ABBE69B31C8D213921BE2860C3@EUSAACMS0701.eamcs.ericsson.se>
In-Reply-To: <7309FCBCAE981B43ABBE69B31C8D213921BE2860C3@EUSAACMS0701.eamcs.ericsson.se>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "sidr-chairs@tools.ietf.org" <sidr-chairs@tools.ietf.org>, "Sandra.Murphy@sparta.com" <Sandra.Murphy@sparta.com>, "sidr-ads@tools.ietf.org" <sidr-ads@tools.ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2012 03:04:51 -0000

On 05/04/2012 11:01 PM, Jakob Heitz wrote:
> Might it be possible to create the key pair on the router?
> Then you don't have to move the private key to the router,
> You move the public key off the router. Much easier.

you could, but I presume the thing being created is really a cert 
(ee-cert) and is signed by the 'as-cert' that is published in the RPKI 
so folk can say:
This route I see, is signed by bloof123 which is signed by bloof-asn - 
that looks like AS123's cert, and the sig is in the place where AS123 is 
supposed to be"

So, you'd need to effectively (I think) do a CSR, send that to the CA 
for signing, and off back with the actual Cert to the device.

-chris

v2.30.2 | Report a Bug | By Email | System Status