AltDB?

Mailman List Mirror (Read Only)
1

note that while i am also an ARIN trustee, i am speaking here as what randy
calls "just another bozo on this bus". for further background, ISC has done
some rpki work and everybody at ISC including me likes rpki just fine. when
the ARIN board was first considering funding ISC to do some early rpki work,
went out into the hallway until the discussion was over (ending positively.)

i have a rumor that arin is delaying and possibly not doing rpki that
seems to have been announced on the ppml list (to which i do not
subscribe).

john curran has explained that arin is doing its due diligence on some
concerns that were brought up during a review of the rpki rollout. there
is no sense in which arin has said that it is "not doing rpki" although the
current review does technically qualify as "delaying rpki". i'm treating
the above rumour as false.

David Conrad <drc@virtualized.org> writes:

I heard about the delay, but not about ARIN possibly not doing RPKI. That
would be ... surprising. [...]

it would be very much surprising to me as well.

[bush]

as it has impact on routing, not address policy, across north america
and, in fact the globe, one would think it would be announced and
discussed a bit more openly and widely.

even if i thought that the operational impact could be felt in these early
days when rpki remains an almost completely nonproduction service, and i
don't think this by the way, i would still say that an internal review of
a new service is not really something the whole community cares about.

[conrad]

The definition of what comes under the "public policy mailing list"
umbrella has always been a bit confusing to me. Too bad something like
the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN
region.

do you have a specific proposal? i've noted in the past that arin tries
hard to stick to its knitting, which is allocation and allocation policy.
it seems to me that if some in the community wanted arin to run SIGs or WGs
on things like routing policy arin could do it but that a lot of folks would
say that's mission creep and that it would be arin poaching on nanog lands.

2

[ caveat: i am *one of* the architects of all this, and am paid to work
  on it, currently (indirectly) by the usg dhs. ]

for background, the other four rirs have rolled rpki out in the last
weeks, apnic and afrinic with the up/down protocol, ripe web only, and i
am not well informed about lacnic's roll out. for the geeky, i append
the trust anchor locators for all but afrinic (i'll try to get that).

even if i thought that the operational impact could be felt in these
early days when rpki remains an almost completely nonproduction
service, and i don't think this by the way, i would still say that an
internal review of a new service is not really something the whole
community cares about.

well yes and no. it was important enough that (i have been told) john
announced it on major arin mailing list(s). and, as we all know, when
info is not openly visible, it gets warped in transmission. hence the
(i think you are saying) incorrect impression out here that the bot is
questioning rpki roll-out in general.

more recent rumors, and john's posting here, seem to indicate that

  o arin's lawyer, who actually seems to run arin, has created massive
    fud about liability.

  o so arin management is seriously reconsidering a web-only roll-out
    and seriously considering prioritizing being able to delegate the
    authority to the large isps by implementing the up/down protocol
    (draft-ietf-sidr-rescerts-provisioning-09.txt). i am a big fan of
    up/down. i am not a big fan of delay.

first, it would really help if the arin bot and management were much
more open about these issues and decisions. at the detailed level. we
are all not fools out here, present company excepted :). for a radical
example, considering that arin is managing a public resource for the
community, why are bot meetings not streamed a la cspan?

i do not see how you are going to get rid of the liability. you have it
now in whois/irr if i use it for routing (except they are so widely known
to be bad data that the world knows i would be a fool to bet on them).
whether the source of a roa is a user whacking on an arin web page or by
other means, you still attested to the rights to that address space.

but all this is based on inference and rumor. can you please be more
open and direct about this? thanks.

randy

3

Paul,

The definition of what comes under the "public policy mailing list"
umbrella has always been a bit confusing to me. Too bad something like
the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN
region.

do you have a specific proposal? i've noted in the past that arin tries
hard to stick to its knitting, which is allocation and allocation policy.

Yes. This is a positive (IMHO), however it seems that occasionally, ARIN's knitting tangles up folks who don't necessarily involve themselves with ARIN's existing interaction mechanisms (at least directly).

it seems to me that if some in the community wanted arin to run SIGs or WGs
on things like routing policy arin could do it but that a lot of folks would
say that's mission creep and that it would be arin poaching on nanog lands.

The issue I see is that there are non-address allocation{, policy} topics that can deeply affect network operations in which ARIN has a direct role, yet network operators (outside of the normal ARIN participants) have no obvious mechanism in which to comment/discuss/etc. Examples would include reverse DNS operations, whois database-related issues (operations, schema, access methods, etc.), (potentially?) RPKI, etc. It doesn't seem appropriate to me for these to be discussed in relation to addressing policy nor are the issues associated with those examples necessarily related to address allocation, hence I wouldn't think they'd be fodder for ppml.

In the other regions, the RIRs host the discussions (e.g., for reverse DNS-related discussions there is dns-wg in RIPE and dns-sig in APNIC, not sure if there are similar constructs in LACNIC or AfriNIC) and the RIR staff provides input but (as far as I know) do not direct results. Since the (non-ARIN) RIRs typically perform some action based on input from these hosted discussions (or explain to the community why they can't/won't), this works reasonably well. In the ARIN region, for reasons that you mention among others, I'm unclear whether there is sufficient trust (on both sides, ARIN or the ARIN-region network operations community) for ARIN to do something similar (note I'm not saying there isn't trust, just that I'm not sure that there is). One alternative (which I suggest being blissfully ignorant of either politics or establishment mechanisms in NANOG) would be for some sort of joint ARIN/NANOG "interest group" (or whatever) for areas that impact ARIN and network operators in which folks have interest such as routing policy/security, dns operations, registration data representation/access, etc.

So, in other words, no, I don't really have a specific proposal.

Regards,
-drc

4

The issue I see is that there are non-address allocation{, policy}
topics that can deeply affect network operations in which ARIN has a
direct role, yet network operators (outside of the normal ARIN
participants) have no obvious mechanism in which to
comment/discuss/etc. Examples would include reverse DNS operations,
whois database-related issues (operations, schema, access methods,
etc.), (potentially?) RPKI, etc. It doesn't seem appropriate to me
for these to be discussed in relation to addressing policy nor are the
issues associated with those examples necessarily related to address
allocation, hence I wouldn't think they'd be fodder for ppml.

please $deity no.

one difference in north america from the other 'regions' is that there
is a strong and very separate operator community and forum. this does
not really exist in the other regions. ripe ate the eof years ago.
apops is dormant aside from helping with apricot. afnog has been
strong, but is fading except for the once a year workshops. enredo may
be reborn, but we have yet to see.

observe that the main north american irr, radb, is not run by the rir,
unlike in other regions. and i like that there are a number of diverse
rir services in the region. it's healthy.

so i would be perfectly happy if arin discussed operational matters here
on nanog with the rest of us ops. i would not be pleased to see ops
start to be subsumed by the rir here.

randy

5

Date: Sat, 08 Jan 2011 15:47:51 +0900
From: Randy Bush <randy@psg.com>
...
more recent rumors, and john's posting here, seem to indicate that
...

even to the extent that i know what's really happened or happening, i'd
be loathe to comment on rumours. i have high confidence in arin's board
and staff, and i believe that the right things are happening, even with
the delays. "right things" as in what's best for the community and for
the internet industry in the arin service region. as a strong proponent
of rpki and of all things like rpki that will strengthen infrastructure,
i remain delay-tolerant if review is the cost of getting it right.

first, it would really help if the arin bot and management were much
more open about these issues and decisions. at the detailed level. we
are all not fools out here, present company excepted :). for a radical
example, considering that arin is managing a public resource for the
community, why are bot meetings not streamed a la cspan?

can you cite some examples of nonprofit companies whose boards operate at
the level of transparency you're asking me to consider in this example?

the process of rolling out something like rpki involves some checks and
balances, it's no longer just a simple matter of the technical people "doing
the right thing" even though i remember older times when that was the way
most things on the internet worked.

i do not see how you are going to get rid of the liability. you have it
now in whois/irr if i use it for routing (except they are so widely known
to be bad data that the world knows i would be a fool to bet on them).
whether the source of a roa is a user whacking on an arin web page or by
other means, you still attested to the rights to that address space.

my own belief here (not speaking for ARIN or for the ARIN BoT) is that the
folks who use IRR/whois data to build route filters have a confidence level
much lower than those who will use RPKI to do the same will have. i know
that if i still had "enable" on anything other than my home router, that's
how i'd feel. also, liability isn't just "got rid of" it's also documented
and risk-managed, and doing that may require some kind of internal review.

but all this is based on inference and rumor. can you please be more
open and direct about this? thanks.

i don't know. john (speaking for ARIN) gave an excellent and complete answer
that i completely agree with. you're repeating some rumours which i won't
comment on one way or the other. if you have specific questions which were
not answered by john's response or which were raised by john's response you
should ask them. saying "i heard a rumour, would anyone care to refute it?"
is not going to move the conversational line of scrimmage at all.

paul

6

Randy,

one difference in north america from the other 'regions' is that there
is a strong and very separate operator community and forum.

Right. However, it seems to me that this strong separation has led to exactly the problem you raised. The issue, as far as I can tell, is that there are functions and services performed by ARIN that can impact the operational community yet even within the existing ARIN structures, there is no obvious (to me at least) mechanism by which the operational community can voice their concerns/provide input/etc. on these services and functions (excluding address allocation/policy of course).

so i would be perfectly happy if arin discussed operational matters here
on nanog with the rest of us ops.

I suspect the ambiguity of "operational matters" (and who defines what that is) and "discussed" will inevitably conspire to make you (and presumably other operators) less than "perfectly happy".

i would not be pleased to see ops start to be subsumed by the rir here.

That's a different topic. I'm talking about some mechanism by which ARIN and the operational community can communicate more effectively about the services ARIN provides as a public service.

Regards,
-drc

7

first, it would really help if the arin bot and management were much
more open about these issues and decisions. at the detailed level. we
are all not fools out here, present company excepted :). for a radical
example, considering that arin is managing a public resource for the
community, why are bot meetings not streamed a la cspan?

can you cite some examples of nonprofit companies whose boards operate at
the level of transparency you're asking me to consider in this
example?

fcc

8

one difference in north america from the other 'regions' is that there
is a strong and very separate operator community and forum.

Right. However, it seems to me that this strong separation has led to
exactly the problem you raised. The issue, as far as I can tell, is
that there are functions and services performed by ARIN that can
impact the operational community yet even within the existing ARIN
structures, there is no obvious (to me at least) mechanism by which
the operational community can voice their concerns/provide input/etc.
on these services and functions (excluding address allocation/policy
of course).

i will admit to some carry-over from the ietf's old high and mighty
attitude, "we're open, if you want to talk about it, come to our turf."
i am happy to say that this has been changing in recent years.

randy

9

From: David Conrad <drc@virtualized.org>
Date: Fri, 7 Jan 2011 21:01:52 -1000

> do you have a specific proposal? i've noted in the past that arin tries
> hard to stick to its knitting, which is allocation and allocation policy.

Yes. This is a positive (IMHO), however it seems that occasionally,
ARIN's knitting tangles up folks who don't necessarily involve
themselves with ARIN's existing interaction mechanisms (at least
directly).

the price of changing what ARIN does is, at a minimum: participation.

> it seems to me that if some in the community wanted arin to run SIGs
> or WGs on things like routing policy arin could do it but that a lot
> of folks would say that's mission creep and that it would be arin
> poaching on nanog lands.

The issue I see is that there are non-address allocation{, policy}
topics that can deeply affect network operations in which ARIN has a
direct role, yet network operators (outside of the normal ARIN
participants) have no obvious mechanism in which to
comment/discuss/etc. Examples would include reverse DNS operations,
whois database-related issues (operations, schema, access methods,
etc.), (potentially?) RPKI, etc. It doesn't seem appropriate to me
for these to be discussed in relation to addressing policy nor are the
issues associated with those examples necessarily related to address
allocation, hence I wouldn't think they'd be fodder for ppml.

they are, though. i understand the subtlety of the question, "is that a
policy matter?" but discussions on ppml@ have led to determinations of
"what is lameness?" and "when is a nameserver so lame that it's better to
remove it from in-addr than to leave it in?" i hear in what you're saying
a desire to have a way to impact ARIN's behaviour outside of NRPM edits
and perhaps ARIN does need to address this with some new online forum for
things which aren't allocation policy but which should still be decided
using community input. (as i recall my first act as a new ARIN trustee
was to sign onto a policy proposal that would have changed the way e-mail
templates worked, and at the end of the process the ARIN BoT shot it down
because it wasn't a policy, and i understood that decision. strange, eh?)

...

So, in other words, no, I don't really have a specific proposal.

perhaps others will chime in. i will continue to think about it also.

10

the price of changing what ARIN does is, at a minimum: participation.

aha! there we go. the old ietf attitude. you come to the mountain.

well, i'll tell you what i told the ietf. the high and mighty mountain
can bite my ass.

randy

11

Paul,

the price of changing what ARIN does is, at a minimum: participation.

Another view is that ARIN's whole and sole reason for being is to provide services to the network operators in the ARIN region. As such, it would be ill-advised for ARIN to change those services without consulting the community that ARIN serves and getting their buy-in. Hopefully, there's a middle ground.

i hear in what you're saying
a desire to have a way to impact ARIN's behaviour outside of NRPM edits
and perhaps ARIN does need to address this with some new online forum for
things which aren't allocation policy but which should still be decided
using community input.

Yep. Not sure it should be an ARIN-operated thing (nor am I sure that it shouldn't be), but something a bit more focused on the operation of services ARIN provides than ppml might be helpful.

Regards,
-drc

12

the price of changing what ARIN does is, at a minimum: participation.

aha! there we go. the old ietf attitude. you come to the mountain.
well, i'll tell you what i told the ietf. the high and mighty mountain
can bite my ass.

let me be a bit more clear on this

  o you affect the operational community, you talk with (not to) the
    operational community where the operational community talks

  o i have given a lot of blood to arin, far more than it deserved. so
    do not tell me i need to give more.

  o eighteen months or so ago, a gang of big arin folk guilt-tripped me
    into running for the board (which i founded back in '96-'97). i did
    the nomcom form and all that, AND WAS SILENTLY NOT ALLOWED ON THE
    BALLOT. never given notice or reason. so take your high and mighty
    open participation crap and shove it where the sun don't shine. but
    i sure was relieved, to tell the truth. my mental and physical
    health just don't need the arin vigilante high and mighty crap on a
    daily basis.

randy

13

Randy Bush writes:

one difference in north america from the other 'regions' is that there
is a strong and very separate operator community and forum. this does
not really exist in the other regions. ripe ate the eof years ago.
apops is dormant aside from [...]

Right.

observe that the main north american irr, radb, is not run by the rir,
unlike in other regions. and i like that there are a number of
diverse rir services in the region. it's healthy.

          ^^^ you mean "rr" I think.

so i would be perfectly happy if arin discussed operational matters
here on nanog with the rest of us ops. i would not be pleased to see
ops start to be subsumed by the rir here.

I'm sympathetic with that, but, like David said, the separation
(NANOG/ARIN) you have in North America does lead to issues such as not
being able to trust what's in the RR(s).

So I'm quite happy with the situation here in Europe, where RIPE
(deliberately ignoring the difference between RIPE NCC and the RIPE
community for a second) takes care of both running the address registry,
and running a routing registry that can leverage the same
authentication/authorization substrate. This makes the RR much more
trustworthy, and should really make the introduction of something like
RPKI much easier (albeit with the temptation to set it up in a more
centralized way than we might like).

Randy, what is the model you have in mind for running a routing registry
infrastructure that is sustainable and trustworthy enough for uses such
as RPKI, i.e. who could/should be running it? I guess I'm arguing that
extended mandate could be of much help here. So even if you're unhappy
with the current ARIN governance, maybe it would still be worthwhile for
the community to fix that issue - unless there are credible alternatives.

14

[ vix, apologies for giving you both barrels. you unintentionally
  pushed a hot button or two ]

Randy, what is the model you have in mind for running a routing
registry infrastructure that is sustainable and trustworthy enough for
uses such as RPKI, i.e. who could/should be running it?

<ietf heresy>
the pki wg sat with their thumbs up their nether sides for a decade
instead of working on a trust topology that mapped something a bit
more operationally realistic than x.500.
</ietf heresy>

so all we have is a hierarchic trust model. luckily, that matches the
topology of the resources we are tracking, ip address space and asns.
like ipv6, we're not going to go back a few decades and change either
the allocation topology (iana->{rirs+legacy}->...->...) or x.509.

[ and yes, i have put some time into thinking about hacking a pgp-based
  solution. probably i am just not smart enough. but i asked a bunch
  of folk smarter than i (target rich environment, i know), and did not
  find optimism. ]

so whether we like it or not, the rpki underlies formally verifiable
routing security. it's all we have. and i care a real lot about
formally verifiable routing security. a real lot.

so this is why i am so deeply concerned about the iana and the rirs'
actions, policies, engineering, operations, ... on this stuff. we are
married to them whether either side likes it or not, at least until the
youngest kid leaves for uni or gets a job.

I guess I'm arguing that from my non-North-American perspective, an
ARIN with a carefully extended mandate could be of much help here. So
even if you're unhappy with the current ARIN governance, maybe it
would still be worthwhile for the community to fix that issue - unless
there are credible alternatives.

i do not see much alternative. maybe if we could pry the iana away from
the domainer slime and the usg and maybe move it to iceland, it could
allocate directly and we could dump the regional address cartel. but it
it not likely. so we as the ops community need to work to make the
iana/rir system, pretty much as it is today, do the rpki deployment in a
manner we can trust and with which we can be comfortable.

randy

15

example, considering that arin is managing a public resource for the
community, why are bot meetings not streamed a la cspan?

Having watched Congress on CSPAN, and heard reports about open
ICANN Board meetings, it looks to me like making deliberative
meetings public means nothing substantive happens during meetings.
People get afraid to say anything that might make them look
ignorant, and just make prepared speeches. All decisions are made
ahead of time through private negotiations, which ends up being the
opposite of transparency.
I think ARIN's Board's output is better than Congress.

i do not see how you are going to get rid of the liability.

Looking at the ARIN Board minutes of

and https://www.arin.net/vault/about/welcome/board/meetings/2010_1122/ it looks like the
Board is requesting a more detailed liability assessment. Well-informed
decisions are more likely to be good than the other kind.

Lee

16

From: David Conrad <drc@virtualized.org>
Date: Fri, 7 Jan 2011 23:11:32 -1000

> the price of changing what ARIN does is, at a minimum: participation.

Another view is that ARIN's whole and sole reason for being is to
provide services to the network operators in the ARIN region.

yes.

As such, it would be ill-advised for ARIN to change those services
without consulting the community that ARIN serves and getting their
buy-in.

that's very much what i mean by participation. arin could never exist
without a community to serve. if there are better ways to serve the
community or better ways for the community to participate in steering
arin's services, then i'm very interested in discovering them.

Hopefully, there's a middle ground.

this *is* the middle ground. we're beyond the span of decades when a
couple of smart engineers could bang out a working solution that the
rest of the community would just adopt out of opportunity and inertia.
and let's not just blame-the-lawyers for that. the stakeholders in
the infrastructure of the information economy now number in the 'many'
and their views and needs have to be represented in the decisions that
get made by places like ICANN, IETF, the RIRs, and similar.

> i hear in what you're saying a desire to have a way to impact ARIN's
> behaviour outside of NRPM edits and perhaps ARIN does need to address
> this with some new online forum for things which aren't allocation
> policy but which should still be decided using community input.

Yep. Not sure it should be an ARIN-operated thing (nor am I sure that
it shouldn't be), but something a bit more focused on the operation of
services ARIN provides than ppml might be helpful.

count me as 'intrigued' and expect me to be thinking more about this.

17

Date: Sat, 08 Jan 2011 18:17:55 +0900
From: Randy Bush <randy@psg.com>

let me be a bit more clear on this

thanks.

  o you affect the operational community, you talk with (not to) the
    operational community where the operational community talks

i think arin does this today. certainly that is the intent. on the other
fork of this thread, drc has noted some ways that this engagement area can
be further improved, and i have counted myself as intrigued.

also, i neglected to mention in my earlier notes on this thread that in
addition to public policy meetings and the public policy mailing list
which are open to the entire community not just arin members and which
allow for remote participation not just those who can travel, arin has a
consultation and suggestion process (URL below). i urge all operators
and interested parties of the operational community to consider sharing
their perspectives and their wisdom with arin to guide it going forward.

  ARIN Consultation and Suggestion Process:
  https://www.arin.net/participate/community/acsp/

  ARIN Public Policy Mailing List:
  ARIN-PPML Info Page

  Meetings:
  Meetings & Events - American Registry for Internet Numbers
  ARIN XXVI Meeting Report - ARIN's Vault
  ARIN XXVI Meeting Report - ARIN's Vault
  ARIN XXVII Meeting Report - ARIN's Vault
  ARIN XXVIII Meeting Report - ARIN's Vault

  Fellowships:
  https://www.arin.net/participate/meetings/fellowships/

  Scholarships:
  https://www.arin.net/participate/meetings/scholarships.html

18

Date: Sat, 08 Jan 2011 18:08:12 +0900
From: Randy Bush <randy@psg.com>
Subject: Re: AltDB?

aha! there we go. the old ietf attitude. you come to the mountain.

well, i'll tell you what i told the ietf. the high and mighty mountain
can bite my ass.

Let me see if I've got this right -- you think ARIN should change their
policies, but _you_ are not willing to put in any personal effort to make
it happen, right?

Can you think of any good reason why _any_ organization should care about
the opinions of someone with that attitude?

19

Getting back to the original topic...sort of:

Looking at the data from altdb, it's not as widely used as I'd have guessed. There are 461 mntner objects. Of these, 268 use MAIL-FROM authentication. 192 use CRYPT-PW. At least those are the split if you look at just the first auth: for each mntner object...plenty of objects have multiple auth:'s and some even have multiple types like MAIL-FROM and PGP. In such a case, does a change request have to satisfy both auth's or just either one?

This makes me ask two questions.

1) Why did ARIN even bother setting up rr.arin.net with no authentication other than MAIL-FROM? Even CRYPT-PW, while weak would be far stronger and preferable to effectively no authentication.

2) Why does altdb (and presumably other RR's that support CRYPT-PW) only support DES and not MD5-crypt? It's not 1990 anymore. RFC 2622 says that CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a variety of formats, including MD5, which is popular at least with Linux.

I don't mean to whine that altdb doesn't support MD5...it'd be nice if it did, but at the price I'm paying for service ($0), I can't complain.

AFAIK, few networks base their BGP filters on the RR data, so I don't care too much about RPKI[1]. Who cares if ARIN certifies that my entries are legit if only a fraction of the net uses that data and there will always be portions of the net where anything goes and resource certification is ignored? What I do care about is that my peers or transits that use RR data to build filters use the data I put there, and that that data isn't tampered with by anyone with the minimal level of clue required to forge the from address on an email and construct an RPSL update email. Sure, we'd get email notification of the change...but if they time it right or the email doesn't get acted on quickly enough, filters might be built improperly.

[1] Don't care is probably too strong. At this point in time, I don't think it makes sense to get hung up on it and refuse to do any authentication if we're not doing RPKI, but not implement RPKI, because we haven't worked out all the details on how it'll be done. As it is, rr.arin.net is pretty much worthless.

20

Getting back to the original topic...sort of:

thanks!

[1] Don't care is probably too strong. At this point in time, I don't think
it makes sense to get hung up on it and refuse to do any authentication if
we're not doing RPKI, but not implement RPKI, because we haven't worked out
all the details on how it'll be done. As it is, rr.arin.net is pretty much
worthless.

I don't think rr.arin.net and RPKI have anything to do with each
other. I think the direction the RPKI should/is taking is to have the
RIR sign a ROA to the ORG that they allocate the address space to...
Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
ORG that they assign address space to.

Ideally you should be able to ask the RPKI system: "I have 1.2.3.0/24
in a bgp announcement, origin'd by AS1234. Is that proper?" Ideally
that magic doesn't happen on the "router" but a digested form of the
data is available making much of the heavy-lifting not router-based.

The parts of the puzzle here that ARIN (or really any RIR) is
responsible for are the 'signing roas to allocatees' (the "up/down
protocol" as it's referred to in the drafts -
<http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09&gt;
and potentially having a system which permits end-users/ORGs to enter
data which generates ROA data (and sends that along to some
publication point for the rest of the routing world to
download/digest).

I believe the 'up/down protocol' part here is critical, the "web
server" part ... I'm not sure is so critical, maybe a third party
makes that happen outside of the ARIN management chain?

Using someone not yourself (ARIN or another third party) to manage
your ROA data means you probably have (in the most simple case) given
the ability to that third party to sign objects for you, that means
they have your private key(s) and can break you by
mistake/malfeasance/oversight/etc. For this reason some folks may be
ok with using a third party, many will choose to hold their fate in
their own hands.

-Chris