BGP Security and PKI Hierarchies (was: Re: Wifi Security)

I think the problem is both easier and harder than painted. First, you
need a business agreement that you will accept each others' assertions
of member identities, aka certificates. Second, you have to agree on a
common format and meaning for certain fields, including thinks like

I'm not sure if I think the technical specs or the business agreement
are the hard parts...

    --Steven M. Bellovin,

Ah the business issues start bubbling to the surface. Have you noticed
for various reasons network service providers don't like to "sign"
or "certify" the business activities of other entities. In the 1990's
several network service providers (AT&T, BBN, etc) established PKIs, but
now very few network service provider will "certify" S/MIME e-mail, SSL
web, or other type of third-party activity.

Although techincal folks may think its just about math, unfortunately some
people think certificates and signatures mean more than just mathmatical
formulas. I'm a bit confused why people think network service providers
will be willing to "certify" transitive trust relationships about business
relationships between third-parties.

Given that ISPs even refuse or manipulate their AS objects to hide real peering or transit details for business reasons, getting them to sign certificates for these relationships might prove even harder...

- kurtis -