Cloudflare's Cirrus Log

[Brendan McMillion]

Hello certificate-transparency@

I wanted to share a new CT log we recently setup, called Cirrus. It's a proof-of-concept, accepting RPKI certificates from the five RIRs: https://ct.cloudflare.com/logs/cirrus/

RPKI authenticates the allocation of IP addresses on the internet, and aims to minimize the damage that can be caused when somebody accidentally announces that they are the origin for an IP they do not own. Infamous examples of this include the AS 7007 incident, and when a Pakistani ISP took down YouTube.

RPKI is very different from the web PKI. Some of the biggest differences include

1. Successful/failed validation isn't a hard-and-fast trust indicator, it's one of many signals about which routes are ideal.
2. Certificates are distributed by well-known rsync servers, rather than presented at validation-time. This was done to minimize changes to BGP.
3. Certificates are hierarchical. If I have a certificate affirming I own an address space, I can issue a certificate for a sub-space to somebody else. This means it's easy to get a certificate with the CA bit set to true.

Despite these and other differences, RPKI was built with standard X.509 certificates, meaning most of the CT ecosystem should port easily. If others in the RPKI community agree that CT is a productive addition, future work would include writing code to validate the hierarchy of resources in certificate chains is intact and building ways to track ROAs and CRLs.