|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
In message <[email protected]>, George Michaelson writes : > > >According to what I understand, there have to be two certificates per >entity: > > one is the CA-bit enabled certificate, used to sign subsidiary > certificates about resources being given to other people to use. > > the other is a self-signed NON-CA certificate, used to sign > route assertions you are attesting to yourself: you make this > cert using the CA cert you get from your logical parent. > Or your parent could have a CA and issue you two certs, one for signing route assertions and one for signing certificates you issue to your downstreams. That in turn has another interesting implication: an ISP can *enforce* a contract that prohibits a downstream from reselling connectivity, at least if the resold connectivity includes a BGP announcement -- the ISP would simply decline to sign a CA certificate for its customer, thereby depriving it of the ability to delegate portions of its address space. (N.B. Certificates include usage fields that say what the cert is good for.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|