RIPE NCC Resource Certification System: Initial Deployment 1 January 2011
Dear colleagues, With just seven IPv4 address blocks available in the IANA pool, we are hurtling towards the end of an era. With this prospect, the registry function of the five Regional Internet Registries (RIRs) is going to be crucial to the Internet community. More than ever, it is important to know who is the legitimate holder of a block of IP addresses. With this as a primary driver, the RIPE NCC (in coordination with the other four RIRs) is planning to deploy a system that attaches digital certificates to Internet number resources (IP address blocks and Autonomous System (AS) Numbers). A more complete description of the benefits of resource certification can be found at: http://www.ripe.net/certification/ The RIPE NCC has had a beta platform for certification up and running for several months now. More than 100 RIPE NCC members have enabled certification under this pilot program, providing the RIPE NCC with valuable feedback. On 1 January 2011, the RIPE NCC will launch a hosted production system, which will allow all LIRs to generate a certificate of holdership, which will be held in a repository maintained by the RIPE NCC. Network operators will also be able to start making routing decisions based on the system as of this date. Further iterations of this system will be deployed over the coming 12 months, including the option for LIRs to host their own Certificate Authority and generate certificates for their own customers. Digital certificates have helped make business on the Internet more secure. Now we are using resource certificates to make the Internet itself more secure. For more information, please visit: http://ripe.net/certification If you have any questions or comments, please email <ncc@ripe.net>. Best regards, Alex Band Product Manager, RIPE NCC
<pedantry>
On 1 January 2011, the RIPE NCC will launch a hosted production system, which will allow all LIRs to generate a certificate of holdership,
not exactly. it will allow LIRs to ask NCC to generate a cert for the LIR's holdings.
which will be held in a repository maintained by the RIPE NCC.
along with the LIR's [not so} private keys. this is sorely broken.
Network operators will also be able to start making routing decisions based on the system as of this date. Further iterations of this system will be deployed over the coming 12 months, including the option for LIRs to host their own Certificate Authority and generate certificates for their own customers.
and hold their own private keys. randy
Randy Bush wrote:
<pedantry>
On 1 January 2011, the RIPE NCC will launch a hosted production system, which will allow all LIRs to generate a certificate of holdership,
not exactly. it will allow LIRs to ask NCC to generate a cert for the LIR's holdings.
Regarding the "ask" - one of my private comments regarding the proposed certification policy was to suggest that the NCC, upon request, MUST (in IETF terminology] issue such a certificate. :-)
which will be held in a repository maintained by the RIPE NCC.
along with the LIR's [not so} private keys. this is sorely broken.
Network operators will also be able to start making routing decisions based on the system as of this date. Further iterations of this system will be deployed over the coming 12 months, including the option for LIRs to host their own Certificate Authority and generate certificates for their own customers.
and hold their own private keys.
randy
Wilfried
participants (3)
-
Alex Band
-
Randy Bush
-
Wilfried Woeber, UniVie/ACOnet