[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Specification of BGP IPsec policy



>     VPNC> One doesn't need to "buy" CAs; for example, there is SimpleCA
>     VPNC> from the VPN Consortium which is freeware (see
>     VPNC> <http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as
>     VPNC> well.
> 
>   Paul, you missed the point. It isn't the software.
> 
>   Which *certificate* authority should all BGP speaking organizations
> sign up for?  In a well top-down ordered Internet everyone would peer
> at IXs, and it would be clear that the IX could be the CA. Life isn't
> so simple.

What are the identifiers you're binding to the key with this CA?  
IP addresses?  Then the CA delegation hierarchy should follow the
address-delegation hierarchy.. IANA to regional registries to ISP's.

Observation for the certificate-format-agnostic: Deploy DNSSEC
covering in-addr.arpa and you might get this delegation hierarchy "for
free".

						- Bill

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec