BGP Security and PKI Hierarchies

Regardless of what the legacy space users think, if the
RIRs decided to sign certificates for use in BGP route
for a small fee to recover costs, and if those legacy
space holders wish to make use of this new service (like
a new version of Windows) then they have to sign up and
pay the fees. The fact that they once received a free
service does not entitle them to receive *ALL* services
for free *FOREVER*.

(NOTE: I am speaking for others here, readers should be aware.)

The/One difficulty is that signing up for this new service,
for at least one registry, requires that you sign up for the
same membership relationship as the non-legacy-holders. That
means you submit to the registry authority over the address
you were allocated for "free", and obligates you to paying the
fee thereafter. And therefore risking having the address
reclaimed if membership rules are not met.

The question is whether the cert signing service is valuable enough
to warrant the change in risk. If the cert signing service is
put into use widely enough, then I hope people would see that as
a value and buy in.

(NOTE: I am not a registrar and any opinions here about registry
behavior are hearsay and conclusions of the witness.)

--Sandy

The/One difficulty is that signing up for this new service,
for at least one registry, requires that you sign up for the
same membership relationship as the non-legacy-holders. That
means you submit to the registry authority over the address
you were allocated for "free", and obligates you to paying the
fee thereafter.

The fees are not charged for past services that were
received for free, only for future services. I see
nothing wrong here. The RIR is offering these organizations
the same services at the same terms as everyone else.
This closely corresponds to the term "fair" in an
economic market context.

And therefore risking having the address
reclaimed if membership rules are not met.

If membership rules were hard to meet, then the existing
RIR members would be changing those rules. The RIRs are
membership organizations that respond to the desires of
their membership. I don't know of any reason why a
reasonable network operator would risk having their
address reclaimed. Essentially, the RIRs give addresses
to those who need them and use them. If a member needs
and uses an address range, then the RIRs are not
going to reclaim it.

The question is whether the cert signing service is valuable enough
to warrant the change in risk. If the cert signing service is
put into use widely enough, then I hope people would see that as
a value and buy in.

I hope so to. I think that the RIRs are in an ideal position
to offer certificate services and that as membership organizations
they are also a form of "web of trust" except that the trust is
not entirely transmitted in the form of encrypted codes.

I also think that the IN-ADDR.ARPA and IP6.ARPA services operated
by the RIRs are valuable and worthwhile to us all.

And I would like to see the RIRs offer services like Cymru
and routing registries on a more coordinated and *OFFICIAL*
basis. In fact, a recent query on the list pointed to an opportunity
to offer a registry of "intended use ASNs" where the holder of
an IP address range could indicate the ASNs in which they intend
to have their address range announced.

--Michael Dillon