North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IP Block 99/8 (DHS insanity - offtopic)
On Mon, 23 Apr 2007, Chris L. Morrow wrote: I think the strawman proposals so far were something like: You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better. The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me". An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
|