[ca-tf] Certification-Policy Proposal - next steps?

Hi Nigel, Andrew, & co :)

On Wed, Mar 24, 2010 at 05:05:50PM +0000, Nigel Titley wrote:
> On Wed, 2010-03-24 at 17:14 +0100, Andrew de la Haye wrote:
> > I appreciate your comments. Below some food for thoughts.
> > 
> > It is of course without question that the Certification system is based 
> > on Community wishes and looks after their interests, like robust 
> > Registry data and secure and stable routing on the Internet. 
> 
> But the problem is that the community is not happy with the system as
> proposed. 
[..]
> This is without dispute... however the details of the system are what
> are causing the problem. Certification is generally seen as A Good Thing
> but there are issues with the system as proposed.

Yes, indeed.   But I think we have seen some guidance, and Nigel's
proposed plan should (hopefully) make the community go along.

[..]
> Now, this was one of the sticking points. The community wanted a system
> with much longer expiry periods. Personally I see no reason not to have
> longer expiry periods. The community suggested 10 years. I would suggest
> a compromise of 5 years.
[..]
> 
> So what I would propose is the following:
> 
> 1. Address space is allocated, certificate is issued, expiry period 5
> years
> 
> 2. Each year, membership is renewed and certificates are re-issued with
> a further 5 year expiry.
> 
> 3. If address space is reclaimed (for whatever reason), the certificate
> is revoked.

I think that this should address most of the concerns voiced (see below
for the last one).

[..]
> We have another problem, that some administrations see the ability of
> the RIRs to withdraw a certificate (and hence shut off prefixes from
> being routed) as an infringement of national sovereignty. There isn't a
> solution to this although it may be ameliorated by the RIPE NCC making a
> public statement that it will only ever withdraw a certificate as a
> result of a Dutch court order, and then only after having exhausted all
> legal avenues of dispute.

We had a nice technical trick presented: if the revocation certificate
contains the *reason* for the revocation (non-payment, governmental 
mandate, ...), and the client software can be configured to ignore 
certain types of revocations, and keep the certificate it has in its
cache, then the ISPs can decide to just ignore such measures by the
administration.

... thus making it useless, and stopping it cold ("you could do this but
since it won't have an effect, you could as well just let it be").

[..]
> I strongly disagree with you. The RIPE NCC *cannot* "make a decision
> that is in the best interest of our Community" without the community
> agreeing. To do otherwise is to undermine the entire PDP. We cannot
> allow that to happen.

Fully agree with Nigel here.  This is a touchy issue, as it changes the
way "The Internet" works, and the NCC must avoid being seen as "we 
decide what is good for you".  People are already assuming a conspiracy
behind half of the policy things we do - even if they are fully in the
open (this is a bit irrational, but "real" people *are* irrational at
times).

Gert Doering
        -- APWG chair
-- 
Total number of prefixes smaller than registry allocations:  150584

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : https://www.ripe.net/ripe/mail/archives/ca-tf/attachments/20100325/de59a36a/attachment.bin