Hi,
On A2020/05/27 PM10:16, Job Snijders via 44Net wrote:
Hi,
On Wed, May 27, 2020, at 13:54, Christopher Munz-Michielin via 44Net wrote:
Happy to help set things up. From a technical perspective it would be relatively straightforward, the challenge is in getting the 44net trust anchor included by all the major RPKI vendors and networks. I'm not sure where to begin on that side.
You'd need to publish a "Certification Practice Statement" and adhere to the procedures described in that document, then RPKI vendors are able to understand the nature of the service and can test how it would interact with their existing systems. As an example: my expectation would be that network operators require the Trust Anchor's top-level certificate to immediately narrow its claimed certification authority to the 44net blocks themselves and nothing else.
IANA CA is the root of all RIR CAs, maybe it's easier to work directly with IANA than millions of all equipment vendors.
We should note there currently is no industry-recognized procedure to establish and globally recognize new RPKI Trust Anchors, other than perhaps ICANN's ICP-2 process.
There's also a CA/B Forum been around for a while, regulating public facing PKIs. RPKI is like an adopted and striped to bare minimum PKI. It discourages use of identity assertions[rfc6480], has fewer x509 extensions[rfc6488], and is RSA only[rfc7935], the CPS template[rfc7382] is the BCP. This very scoped manner makes the CA much easier to implement with most preset defaults.
In summary: I expect that setting up RPKI services for 44net will be costly to operate and a lot of paperwork. I'm not saying this to discourage you, just to help recognise that it would be a significant project.
This project looks fun and very rewarding than challenges it poses. Please allow me to have the honor of participation!
Best,
Quan
Kind regards,
Job
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net