Deploy360 17 November 2015

RIPE 71 – Highlights from Day 1

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

RIPE71_logoThe RIPE 71 meeting is happening this week in Bucharest and each day we’ll be highlighting the presentations and activities related to the Deploy360 technologies.

To kick-off, is the interesting initiative presented by Randy Bush during the opening plenary on the Automated Certificate Management Environment (ACME). Currently only between 40% and 60% of web and e-mail traffic is encrypted over TLS, but obtaining and managing digital certificates is not always straightforward, prone to error and can be expensive. ACME aims to offer a standards-based REST API for Certification Authorities (CAs) allowing system administrators to automatically obtain trusted certificates without any human intervention. This is accomplished by running a certificate agent that proves to the CA that a server controls a domain, allowing it to request, renew, and revoke certificates for that domain.

This initiative is currently supported by Let’s Encrypt, but the IETF ACME Working Group has produced an Internet Draft with the view to making ACME a common standard. There are three steps to obtaining a certificate that include generating a key pair that identifies that a server controlling one or more domains, before validating that it controls those domains through a challenge response. A Certificate Signing Request is then generated which is then sent to the CA which can then issue the certificate, all using JSON over HTTP.

Let’s Encrypt is also provisioning a free CA (supported by sponsors) which only supports automatic issuing of certificates through ACME in order to encourage uptake of the technology. This CA is already in the global root distributions, and aims to go into full production from 3 December 2015 with a beta service already being available.

It’s also worth pointing out the presentation given by Marco d’Itri on BGP Security at IXs. This reported on an experiment that was undertaken to test which networks would accept incorrect routes that a peer announced to them, demonstrating a sizeable number of vulnerable networks at major Internet Exchanges. Quite concerning results, but another good reason to point operators in the direction of the Routing Resilience Manifesto.

Last but not least, Jan Žorž was chairing the BCOP Task Force during the evening. There were five BCOP documents up for discussion in this session relating to low-cost community-owned exchanges, IPv6 in Enterprises, IPv6-only networks, network security recommendations, and MANRS Implementation. As mentioned in yesterday’s blog post, the group was looking for help to support the task of writing the documents and several volunteers put themselves forward,  but some more help is still required for the IPv6-only BCOP document if you feel you can contribute.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe71.ripe.net/programme/meeting-plan/

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...