[ca-tf] Certification-Policy Proposal - next steps?
Gert Doering gert at space.net
Thu Mar 25 14:45:27 CET 2010
Hi Nigel, Andrew, & co :) On Wed, Mar 24, 2010 at 05:05:50PM +0000, Nigel Titley wrote: > On Wed, 2010-03-24 at 17:14 +0100, Andrew de la Haye wrote: > > I appreciate your comments. Below some food for thoughts. > > > > It is of course without question that the Certification system is based > > on Community wishes and looks after their interests, like robust > > Registry data and secure and stable routing on the Internet. > > But the problem is that the community is not happy with the system as > proposed. [..] > This is without dispute... however the details of the system are what > are causing the problem. Certification is generally seen as A Good Thing > but there are issues with the system as proposed. Yes, indeed. But I think we have seen some guidance, and Nigel's proposed plan should (hopefully) make the community go along. [..] > Now, this was one of the sticking points. The community wanted a system > with much longer expiry periods. Personally I see no reason not to have > longer expiry periods. The community suggested 10 years. I would suggest > a compromise of 5 years. [..] > > So what I would propose is the following: > > 1. Address space is allocated, certificate is issued, expiry period 5 > years > > 2. Each year, membership is renewed and certificates are re-issued with > a further 5 year expiry. > > 3. If address space is reclaimed (for whatever reason), the certificate > is revoked. I think that this should address most of the concerns voiced (see below for the last one). [..] > We have another problem, that some administrations see the ability of > the RIRs to withdraw a certificate (and hence shut off prefixes from > being routed) as an infringement of national sovereignty. There isn't a > solution to this although it may be ameliorated by the RIPE NCC making a > public statement that it will only ever withdraw a certificate as a > result of a Dutch court order, and then only after having exhausted all > legal avenues of dispute. We had a nice technical trick presented: if the revocation certificate contains the *reason* for the revocation (non-payment, governmental mandate, ...), and the client software can be configured to ignore certain types of revocations, and keep the certificate it has in its cache, then the ISPs can decide to just ignore such measures by the administration. ... thus making it useless, and stopping it cold ("you could do this but since it won't have an effect, you could as well just let it be"). [..] > I strongly disagree with you. The RIPE NCC *cannot* "make a decision > that is in the best interest of our Community" without the community > agreeing. To do otherwise is to undermine the entire PDP. We cannot > allow that to happen. Fully agree with Nigel here. This is a touchy issue, as it changes the way "The Internet" works, and the NCC must avoid being seen as "we decide what is good for you". People are already assuming a conspiracy behind half of the policy things we do - even if they are fully in the open (this is a bit irrational, but "real" people *are* irrational at times). Gert Doering -- APWG chair -- Total number of prefixes smaller than registry allocations: 150584 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : https://www.ripe.net/ripe/mail/archives/ca-tf/attachments/20100325/de59a36a/attachment.bin
[ Ca-tf Archive ]