Suspenders: A Fail-safe Mechanism for the RPKI
2015
The Resource Public Key Infrastructure (RPKI) is an authorization
infrastructure that allows the holder of Internet Number Resources
(INRs) to make verifiable statements about those resources. The
certification authorities (CAs) in the RPKI issue certificates to
match their allocation of INRs. These entities are trusted to issue
certificates that accurately reflect the allocation state of resources
as per their databases. However, there is some risk that a CA will
make inappropriate changes to the RPKI, either accidentally or
deliberately (e.g., as a result of some form of "government mandate").
The mechanisms described below, and referred to as "Suspenders" are
intended to address this risk. Suspenders enables an INR holder to
publish information about changes to objects it signs and publishes in
the RPKI repository system. This information is made available via a
file that is external to the RPKI repository, so that Relying Parties
(RPs) can detect erroneous or malicious changes related to these
objects. RPs can then decide, individually, whether to accept changes
that are not corroborated by independent assertions by INR holders, or
to revert to previously verified RPKI data.
Keywords:
- Correction
- Source
- Cite
- Save
- Machine Reading By IdeaReader
0
References
7
Citations
NaN
KQI