[Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

Daniel Shaw danielshaw at protonmail.com
Wed Apr 10 13:11:04 UTC 2019


Hi Mark, Saul, Sunday, all,

I suppose that Cedrick or other staff may possibly reply in due course with more details as regards this specific implementation of a CA (aka the AFRINIC RPKI CA). However let me respond a bit generally about the reason to have an offline portion of a CA.

Ultimately, a CA involves certificates and crypto as we all know. And this needs keys, including private keys. The integrity of the entire system below the CA depends on the top level private keys being ... private.

To automate anything the system doing the automation needs to connect to the system being automated. In other words everything has to be "online" to an extent. The thinking, generally, is that anything that is connected to other things has the potential, however small the chance to be compromised. Therefore, the best way to ensure absolute and certain privacy of the all-important private key material is to "air-gap" it.

And thus it follows that when something else needs to be signed/verified using these offline keys, you also don't want to copy them online, even briefly and so you do the work offline and then copy the results back online. It is this copy - bridging the air gap - that requires a human.

Put another way: You can't really automate sneaker-net.

- Daniel

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, April 10, 2019 8:32 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:

> Thanks, Cedrick.
>
> A question that is, perhaps, obvious... are you able to take the human component out of this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20190410/c33323d9/attachment.html>


More information about the Community-Discuss mailing list