[ca-tf] Certification-Policy Proposal - next steps?

On Wed, 2010-03-24 at 17:14 +0100, Andrew de la Haye wrote:
> Hi Gert, Nigel,
> 
> I appreciate your comments. Below some food for thoughts.
> 
> It is of course without question that the Certification system is based on Community wishes and looks after their interests, like robust Registry data and secure and stable routing on the Internet. 

But the problem is that the community is not happy with the system as
proposed. 

> One of the reasons that the CEOs of the five RIRs have commmitted to having a production system ready by the 1st of January 2011, is because Certification is merely an additional opt-in member service, that ties in to what is already available. It is another representation of the allocation status which follows the policies we already have, along with the membership status (this is also supported in the first draft of the legal assessment).

This is without dispute... however the details of the system are what
are causing the problem. Certification is generally seen as A Good Thing
but there are issues with the system as proposed.

> This means the questions Nigel raises could in fact already be answered:
> 
> > Do we just offer it as a service that any RIPE NCC member can avail themselves of?
> 
> Precisely, the LIR is free to choose to go into the LIR Portal and get a Certificate for their Internet resources.

This is fine

> > How long will certificates last?
> 
> They expire after one year and will be automatically rolled over and renewed, for as long as you remain a member. Just like our current business process for allocations, again in this process the certificates just follow their allocations.

Now, this was one of the sticking points. The community wanted a system
with much longer expiry periods. Personally I see no reason not to have
longer expiry periods. The community suggested 10 years. I would suggest
a compromise of 5 years.

> > Do we with withdraw them when a member leaves?
> 
> Reclaiming address space after an LIR ceases to be a member is in line with the Community wishes, and with the policies and Resource Lifecycle Management we are committed to. Since the Certificate is tied to address space, it would automatically mean the certificate gets invalid (after a grace period) once they stop being a member. This is analogous to the RIPE Database entries being removed, and the reverse DNS service being stopped. Once the address space has been reclaimed and reissued to another member, they would be able to get a certificate for it. 

The issue was not with reclaiming address space per se. Everyone agrees
that one address space is truly reclaimed, the certificates should be
revoked. However, I see no reason why address reclamation should not be
linked with certificate revocation rather than just letting the
certificates expire. I know this is more work for the RIPE NCC but I
feel that it may be worth it for the sake of the extra degree of comfort
it provides that space may not be withdrawn arbitrarily (however
unlikely this may be).

So what I would propose is the following:

1. Address space is allocated, certificate is issued, expiry period 5
years

2. Each year, membership is renewed and certificates are re-issued with
a further 5 year expiry.

3. If address space is reclaimed (for whatever reason), the certificate
is revoked.

Now I know this is less neat than the proposed method, but it addresses
the major perceived problem of the community; that while an LIR is
disputing membership payments (or they get lost, or whatever) then the
certificate expires and the prefix is no longer routable (once we have
SIDR).

We have another problem, that some administrations see the ability of
the RIRs to withdraw a certificate (and hence shut off prefixes from
being routed) as an infringement of national sovereignty. There isn't a
solution to this although it may be ameliorated by the RIPE NCC making a
public statement that it will only ever withdraw a certificate as a
result of a Dutch court order, and then only after having exhausted all
legal avenues of dispute.

> Obviously we are concerned about the impression that we are pushing this forward. I would like to reiterate a point out of my previous message: we have realized people are more concerned with the benefits of the system to their organisation than with aspects like the time the certificate lasts. So instead of waiting for someone to voice their opinion as we have done with 2008-08 with little result, we're using targeted messaging, as well as a survey and training courses to actively gather feedback. Based on the results, we will do a thorough analysis and make a decision that is in the best interest of our Community.

I strongly disagree with you. The RIPE NCC *cannot* "make a decision
that is in the best interest of our Community" without the community
agreeing. To do otherwise is to undermine the entire PDP. We cannot
allow that to happen.

Nigel


> Regards,
> Andrew
> 
> 
> On 22 Mar 2010, at 16:45, Gert Doering wrote:
> 
> > Hi,
> > 
> > On Mon, Mar 22, 2010 at 11:32:02AM +0000, Nigel Titley wrote:
> >> Well, I don't see any consensus for the policy proposal as originally
> >> proposed 
> > 
> > Definitely not...
> > 
> >> and I'm happy to withdraw it 
> > 
> > ... but I don't think that this should be the right way.  I'd go for
> > "v2.0" of the proposal that incorporates clear words to address the
> > issues voiced by the community.
> > 
> >> and just continue with the
> >> technical implementation, but this begs the question of how we implement
> >> certification from a business perspective. Do we just offer it as a
> >> service that any RIPE NCC member can avail themselves of? How long will
> >> certificates last? Do we with withdraw them when a member leaves? All
> >> the questions that came up during the policy debate still need
> >> answering.
> > 
> > That's why I think a "v2.0" of the proposal with some answers to that
> > makes sense.
> 
> On 23 Mar 2010, at 13:18, Nigel Titley wrote:
> 
> > On Mon, 2010-03-22 at 16:45 +0100, Gert Doering wrote:
> > 
> >> 
> >> That's why I think a "v2.0" of the proposal with some answers to that
> >> makes sense.
> > 
> > Yes, I'm beginning to agree with you. Merely dropping the proposal gives
> > the impression that the RIPE NCC is just going to steam roller ahead
> > regardless of what the community thinks or wants. And this is something
> > that we want to avoid at all costs.
> > 
> > Nigel
> > 
> On Mar 23, 2010, at 1:18 PM, Nigel Titley wrote:
> 
> > On Mon, 2010-03-22 at 16:45 +0100, Gert Doering wrote:
> > 
> >> 
> >> That's why I think a "v2.0" of the proposal with some answers to that
> >> makes sense.
> > 
> > Yes, I'm beginning to agree with you. Merely dropping the proposal gives
> > the impression that the RIPE NCC is just going to steam roller ahead
> > regardless of what the community thinks or wants. And this is something
> > that we want to avoid at all costs.
> > 
> > Nigel
> > 
> > 
>