[ca-tf] Certification-Policy Proposal - next steps?
Robert Kisteleki robert at ripe.net
Thu Mar 25 17:21:52 CET 2010
Hi, (I'm only addressing the technicalities here.) On 2010.03.24. 10:05, Nigel Titley wrote: > So what I would propose is the following: > > 1. Address space is allocated, certificate is issued, expiry period 5 > years > > 2. Each year, membership is renewed and certificates are re-issued with > a further 5 year expiry. > > 3. If address space is reclaimed (for whatever reason), the certificate > is revoked. I believe that this is a viable way of doing it. I'd add that for key lifetime reasons, the members SHOULD introduce new keys every 1-2 years. > Now I know this is less neat than the proposed method, but it addresses > the major perceived problem of the community; that while an LIR is > disputing membership payments (or they get lost, or whatever) then the > certificate expires and the prefix is no longer routable (once we have > SIDR). > > We have another problem, that some administrations see the ability of > the RIRs to withdraw a certificate (and hence shut off prefixes from > being routed) as an infringement of national sovereignty. There isn't a > solution to this although it may be ameliorated by the RIPE NCC making a > public statement that it will only ever withdraw a certificate as a > result of a Dutch court order, and then only after having exhausted all > legal avenues of dispute. I must observe that none of the secure routing drafts say "you must reject an invalid signed route" -- they only affect the preferences in best path selection. That is a big difference, as revoking a certificate does _not_ tell anyone they should drop that announcement, merely that it's not as attractive as others may be. And even that only applies to direct path selection in the routers themselves, they have got nothing to do with filter constructions, where the choice is 100% up to the individual ISPs. Robert
[ Ca-tf Archive ]