[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Specification of BGP IPsec policy
> VPNC> One doesn't need to "buy" CAs; for example, there is SimpleCA
> VPNC> from the VPN Consortium which is freeware (see
> VPNC> <http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as
> VPNC> well.
>
> Paul, you missed the point. It isn't the software.
>
> Which *certificate* authority should all BGP speaking organizations
> sign up for? In a well top-down ordered Internet everyone would peer
> at IXs, and it would be clear that the IX could be the CA. Life isn't
> so simple.
What are the identifiers you're binding to the key with this CA?
IP addresses? Then the CA delegation hierarchy should follow the
address-delegation hierarchy.. IANA to regional registries to ISP's.
Observation for the certificate-format-agnostic: Deploy DNSSEC
covering in-addr.arpa and you might get this delegation hierarchy "for
free".
- Bill
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec