The Chair introduced the BOF and explained the agenda.
- Certification Authority
Sanjaya, APNIC
This presentation outlined the development of the APNIC Certification Authority project and its relationship with the MyAPNIC project.
Questions and discussion
No questions.
Top
- MyAPNIC
Sanjaya, APNIC
This presentation outlined the development of the secure member service web interface known as MyAPNIC. MyAPNIC is intended to provide a simple, secure and flexible environment for members to update their database and administration records. There was a demonstration of how to install a certificate and an explanation of the features available in prototype MyAPNIC interface.
Questions and discussion
There was discussion about the value of MyAPNIC to members. In particular, it was stated that new members would find the interface valuable as the documentation and forms available on apnic.net can be difficult to understand.
It was stated that the forms available on APNIC, as well as on the other RIR sites, are difficult to complete, as the explanations are not always clear enough.
It was noted that RIPE would find a similar project to MyAPNIC valuable and would be looking at the progress of the APNIC project with interest.
There was a question about what happens when a user changes laptops or browsers. It was explained that this issue is yet to be solved, but that there are facilities to export the user's private key between users and browsers. It was noted that one organisation had recently scrapped private keys in favour of passwords due to this portability problem. It was noted that smart cards are not a solution to the private key issue either due to hardware constraints.
There was a discussion about the value of the data in relation to the relative authentication needs.
It was explained that there was still a lot of work to do on the backend development before any launch date can be given. A status report should be presented at the next meeting, a prototype presented at the meeting after that.
It was suggested that a schematic diagram would be a useful inclusion for future MyAPNIC updates.
Top
- The Role of a Registry Certificate Authority
Geoff Huston, Telstra
This presentation outlined the need for certificates to authenticate the routing of address prefixes to assist in the prevention of network abuse. Certification could speed up and strengthen the process of matching a customer's routing request with RIR records. The presentation noted that use of the tech-c and admin-c contacts in the RIR database is ineffective because these objects are not regularly updated and emails to those addresses become lost amongst many abuse complaints.
Questions and discussion
It was noted that this idea had been raised in other forums before but never implemented. In previous attempts, there had not been total agreement between all interested organisations. However, it was then noted that APNIC had already begun work on certificates for MyAPNIC and that the convergence with this proposition for certificates was not difficult.
It was noted that the technical solution was not an issue to be decided at the moment. Rather, the business model of the authentication process was the important issue from which the implementation plan should develop.
It was noted that there is currently ongoing activity looking at the development of similar systems that are interoperable between registry systems. Both RIPE NCC and APNIC are looking at developing authentication systems. It was noted that although ARIN investigating this issue, it would be raised for further consideration..
It was noted that any solution adopted by APNIC from a commercial source should be negotiated so that other related parties could adopt the same solution without high licensing costs.
Top
- General discussion
It was suggested that the DNS sec parent/child delegation option would be a useful issue for APNIC to investigate. A certificate record can be entered into any DNS record allowing a record of delegations of authority to be kept.
It was suggested that every APNIC delegation under 212.2.in.addr.arpa should be signed by APNIC and that delegations within that delegation should also be signed by the appropriate party.
There was a question about how a business model for certification would relate to the signed delegations in the DNS structure.
It was suggested that a practical demonstration and skills workshop be included at a future APNIC meeting to increase the skills base APNIC has in this area. ARIN expressed an interest in helping facilitate the gaining of relevant DNS authentication skills in the AP region.
There was an brief presentation �Operational testing of new DNS RR (resource records) types (and features)?by Bill Manning. As this project does not have any participants from the APNIC region there was a general invitation for participation.
Meeting Results
