Hi all, APNIC has a "terms and conditions" but it is not yet a formal CPS. We are working on that. We also have investigated cross-certification from a well known commercial CA on February this year. However, the quoted price of US$50,000 a year is not justified in our opinion. We are also considering a formal audit once our CPS has been formalised. Please note that at present our certificates are used for identifying member staff to access internal aplication (MyAPNIC), so the subject of third-party trust issues may not yet apply. By the time 3rd parties become involved (eg allocation/route certification), we would certainly have more standard CA/PKI structures in place. This is a new area for most of us, and we are very open to advice and input from the community. Cheers, Sanjaya APNIC CA Project Manager
-----Original Message----- From: db-wg-admin@ripe.net [mailto:db-wg-admin@ripe.net] On Behalf Of Randy Bush Sent: Thursday, 17 July 2003 12:52 AM To: Jan Meijer Cc: Patrik Fältström; ncc-services-wg@ripe.net; db-wg@ripe.net Subject: Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
so i am supposed to install the RIRs' certs in my browser as root CAs and ignore the big hole for attack this opens? i already *remove* a bunch of root CAs when i bring up a new browser. this is the new internet. get paranoid. I might overlook something but what's the big hole
someone getting at the root CA key at an RIR
Specify 'few'. As far as I know this it is not cheap to have your PKI signed by one of the 'well-trusted' root CAs.
maybe not cheap for a student, but an RIR can afford it
Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop?
no, the RIRs can sign their customers certs.
maybe a tutorial is needed on how this stuff works. paf, is there one readily available?
From a trust point of view it is in fact *better* to consciously import the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store.
when the RIRs' procedures to protect their root CA keys are audited by third parties who have the expertise to do so.
randy