Re: [sidr] is a longer announce invalid or not found?

[Sandra Murphy <Sandra.Murphy@sparta.com>]

speaking as a regular ol' member

On Sat, 1 Oct 2011, Randy Bush wrote:

>>> cool hack 14.3: the router itself can gen the public/private key pair
>>> a la ssh, the person configuring can extract the public key and send
>>> it to the rpki goddesses to be signed by the appropriate cert and put
>>> in the rpki.  the private key never leaves the router!
>> I believe that Steve Kent says that usually a certificate request is
>> required to present Proof Of Possession (of the private key).  So just
>> discovering the public key somehow would not be sufficient to be able
>> to request a cert with that public key.
>
> dear dr nit pick,
>
> when dealing with goddesses, one always frames things as a request

I am not at all sure what you mean.

Cautiously, I'll try to say what I meant again.

You say "the person configuring" could extract the public key and get a 
cert created for that public key.

The request would have to be accompanied by Proof of Possesssion of the 
private key - e.g., something like a signature might do.

Unless the "person configuring" has access to the private key on the 
router, there would be no way to produce the Proof of Possession.

I read what you were suggesting as the customer router gen-ing the key 
pair and the "person configuring"  sitting at the provider, off-router.

Maybe you meant the provider was doing the configuration of the customer 
router, in which case the provider would have access to the private key 
for the proof of possession for the request.

(Of course, if the provider has that much access to the customer router, 
the line blurs between the key-gen-ing happening on the provider side or 
the customer side.)

--Sandy, speaking as regular ol' member




>
> randy
>