|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
[ you know all this, but i think it is worth going through the exercise ] > That said, I think the problem is that we need an algebra of trust > that will let a program, not a human, decide whether or not to trust a > certficate. You don't want to accept something if it's a twisty loop > of subsidiaries or allied evil ASs vouching for each other. OTOH, > there are some situations where we know that absolute trust is > indicated -- say, 701 signing 702's certificate, or an upstream > signing the address certificate for a customer. > And it's not just honesty, it's competence you're assessing -- we've > all seen problems when major ISPs didn't get their filters > straight. not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net. but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question. the bottom line is which would i trust more in the latter sense, an asn cert signed by an external hierarchy or a cert signed by one or more of 70x, 1239, 2914, ...? it seems more natural if the identity trust is congruent with the trust of business relationships. a similar reason for my prefering sbgp-like architectures, the attestation model is congruent with the routing model. it turns out most folk have a business relationsip with an rir. but some don't, e.g. jis. and those who do not have become very worried about their ability to route on the internet being at the mercy of organizations some of which have specifically said that legacy cert renewal would be tied directly to the isp or entity paying the rir as if they had gotten the legacy address space from the rir (i think i have sensed some backing off from this rather extreme position). but the point is that some folk are not happy with their identity being controlled by an external party with no skin in the game with whom they would otherwise have no relationship. [ before you say it, i have suggested that a pseudo-rir be created for legacy asns and prefixes ] in particular, i have a business relationship with 1239 and 2914, but no business relationship with ripe. should i trust ripe's signing the identity of anja's asn more or less than 666 signing it and 666's identity being attested to by 1239 and 701, the latter likely being cross-signed by 1239 and 2914? > Furthermore, given that a trust algebra may yield a trust value, > rather than a simple 0/1, is it reasonable to use that assessment > as a BGP preference selector? That would tie the security very > deeply -- too deeply? -- into BGP's guts. i am aware of other research proposals where routing trust is ordinal or even real depending on various distances. randy
|