Hi!
I object on making x.509 the sole method of authenticated communication with RIPE.
There's GPG, and it works, now.
I think this is an exageration. The only form of authenticated communication which works now over the Internet is SSL combined with HTTP.
Why, then, do I read so much about failed key mgmt, bugs in openssl and the like all the time, which shows that it is an major operational PITA ?
The choice of which secure technology is irrelevant.
Fine, then we can concentrate on GPG and we do not need x.509 based systems ?
The security features of the technology are irrelevant.
I do not argue about whether one is more secure than the other, I argue about the operational it requires now and in the future. It looks to me like a major time-burner. Especially now that RIPE is suggesting "hey, we have GPG and X.509, choose". I thought we all learned from Tanenbaum that having multiple concurrent standards does not really solve any problems.
The only thing that matters is how easy will it be to use the new technology and how will RIPE teach people to use the technology and what tools will RIPE make available to people to run on their Windows machines, Macintosh machines and UNIX workstations so that they can use this new technology as easily as they use the web or email today.
GPG isn't necessarily any easier to learn and use than X.509 is.
Maybe, thats what http://www.gnupg.org/(en)/related_software/frontends.html is for.
Remember, the audience for this is the LIR staff who administer IP address allocations. They are not necessarily engineers or technical people. They probably don't use UNIX workstations and they probably don't know how to write scripts or use a command line.
They don't need to, see above. -- MfG/Best regards, Kurt Jaeger 16 years to go ! LF.net GmbH fon +49 711 90074-23 pi@LF.net Ruppmannstr. 27 fax +49 711 90074-33 D-70565 Stuttgart mob +49 171 3101372