About Certification Authorities
In the Digital Certificate realm, a Certification Authority (CA) is an organization whose function is to issue certificates. CAs confirm the identity of the subject of the Certificate, and attest that the public key in the generated Certificate is the public key of the identified party.
APNIC operates a Certification Authority (CA) service to provide enhanced and secure services for APNIC Members and customers though the use of X.509 Digital Certificates. As part of this service, APNIC issues Digital Certificates to APNIC Member and Non-Member account holders. X.509 is the CCITT/ITU international standard defining public key certificates, and is implemented by APNIC in line with the IETF standard RFC5280.
What is a Digital Certificate?
Digital Certificates bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. APNIC uses electronic certificates to prove its own identity, the identity of its Members, and the right-of-use over Internet resources.
APNIC issues regular Public Key Infrastructure (PKI) certificates for access control to APNIC services such as the MyAPNIC Member services website.
In the case of Resource Certification, APNIC issues Resource Public Key Infrastructure (RPKI) certificates that have ‘Certificate Extensions’ added. These Certificate Extensions carry the Internet number resources allocated or assigned to the APNIC Member who is the subject of the Resource Certificate. These Resource Certificates are different to the identity certificates used for Web system access, and may only be used in the context of verifying an entity’s “right-of-use” over an IP address or AS. As a result, APNIC now manages two independent certificate authorities, one for Member services, and the second for Resource Certification.
Trust Anchors
Establishing a Certificate’s validity involves assembling a chain of Certificates that starts with a nominated trust anchor. The validation path involves locating a valid Certificate issued by the trust anchor to another entity, which, in turn had issued a valid Certificate to another entity, and so on until we reach the Certificate in question.
For example, if the nominated trust anchor was APNIC, validating the Certificate would entail the inspection of a Certificate issued by APNIC that describes a Local Internet Registry’s (LIR’s) resource holdings. This is followed by inspection of an LIR-issued Certificate that describes the resource holdings of the entity whose Certificate is being validated.
APNIC will provide a public record of their allocation actions in the form of a public key Certificate that records the allocation of a specific resource to the entity possessing the matching public/private key pair. Thus, a Resource Certificate issued by APNIC relating to Member ‘A’ with resources 192.0.2.0/24 should only be issued by APNIC, and only if Member ‘A’ is indeed the current holder of that address resource.