|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Thu, 24 Nov 2005, George Michaelson wrote: So how is the 2nd one different from the first? In both cases you giveAccording to what I understand, there have to be two certificates per entity: one is the CA-bit enabled certificate, used to sign subsidiary certificates about resources being given to other people to use. the other is a self-signed NON-CA certificate, used to sign route assertions you are attesting to yourself: you make this cert using the CA cert you get from your logical parent. permission to certain use of a resource under your control. If you look at it the only difference is: - To authorize reallocations you sign request based on another entity's ORG object, - To authorize announcement you sign request based on another entity's ASN object (can be your own ASN). But in general ASN object is also basically a type of ORG with extra data (i.e. ASN# and ASN name), so I don't see why you can't use one cert (if somebody does not list AS# for their org I guess they can't route independently). -- William Leibzon Elan Networks [email protected]
|