[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report
benm at workonline.africa
Thu Apr 11 11:31:19 UTC 2019
On 2019-04-10 21:02:41+02:00 Alex Band wrote:
> This is most certainly a corner case, but is at least theoretically possible given that all RIRs claim 0/0 in their root certs.
Corner case or not, in my opinion it’s a very slippery slope to use such an example.
The RIRs have put in proper measures to make sure such a scenario doesn’t occur. For example, precisely for this reason the RIPE NCC have a more constrained “RIPE NCC Managed Resources” intermediate certificate in place, from which all Member Certificates are derived.
I'm not a fan of the default claims in the RIR root certs, and I'm not a fan of OOB workarounds that can't be verified cryptographically. My understanding is that this practise is in order to avoid re-issuing the root as the result of a transfer, but given that the cert which a TAL points at can change (as long as the keypair is the same) without touching the TAL, I've never understood why this workaround was necessary.
If you agree with the practise, I'm open to persuasion.
If we're going to be stuck with disjoint per-RIR RPKIs forever, we (RPs) should at least be able to verify that they are disjoint!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI-Discuss