27 May
2020
27 May
'20
11:33 a.m.
Hi,
On A2020/05/27 PM10:16, Job Snijders via 44Net wrote:
Hi,
On Wed, May 27, 2020, at 13:54, Christopher Munz-Michielin via 44Net wrote:
IANA CA is the root of all RIR CAs, maybe it's easier to work directly
with IANA than millions of all equipment vendors.
Happy to help set things up. From a technical
perspective it would be
relatively straightforward, the challenge is in getting the 44net trust
anchor included by all the major RPKI vendors and networks. I'm not
sure where to begin on that side.
You'd need to publish a "Certification
Practice Statement" and adhere to the procedures described in that document, then
RPKI vendors are able to understand the nature of the service and can test how it would
interact with their existing systems. As an example: my expectation would be that network
operators require the Trust Anchor's top-level certificate to immediately narrow its
claimed certification authority to the 44net blocks themselves and nothing else.
We should note there currently is no industry-recognized procedure to establish and
globally recognize new RPKI Trust Anchors, other than perhaps ICANN's ICP-2 process.
There's also a CA/B Forum been around for a while, regulating public
facing PKIs. RPKI is like an adopted and striped to bare minimum PKI. It
discourages use of identity assertions[rfc6480], has fewer x509
extensions[rfc6488], and is RSA only[rfc7935], the CPS template[rfc7382]
is the BCP. This very scoped manner makes the CA much easier to
implement with most preset defaults.
In summary: I expect that setting up RPKI services for 44net will be costly to operate
and a lot of paperwork. I'm not saying this to discourage you, just to help recognise
that it would be a significant project.
This project looks fun and very rewarding than challenges it poses.
Please allow me to have the honor of participation!
Best,
Quan
Kind regards,
Job
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net