[ca-tf] Certification-Policy Proposal - next steps?
Robert Kisteleki robert at ripe.net
Fri Mar 26 19:11:59 CET 2010
Hi,
(Again, I'm only addressing the technicalities here.)
On 2010.03.25. 6:45, Gert Doering wrote:
>> We have another problem, that some administrations see the ability of
>> the RIRs to withdraw a certificate (and hence shut off prefixes from
>> being routed) as an infringement of national sovereignty. There isn't a
>> solution to this although it may be ameliorated by the RIPE NCC making a
>> public statement that it will only ever withdraw a certificate as a
>> result of a Dutch court order, and then only after having exhausted all
>> legal avenues of dispute.
>
> We had a nice technical trick presented: if the revocation certificate
> contains the *reason* for the revocation (non-payment, governmental
> mandate, ...), and the client software can be configured to ignore
> certain types of revocations, and keep the certificate it has in its
> cache, then the ISPs can decide to just ignore such measures by the
> administration.
>
> ... thus making it useless, and stopping it cold ("you could do this but
> since it won't have an effect, you could as well just let it be").
Data point: the applicable standard (RFC 5280, section 5.3.1) does not
support the above revocation reasons.
Robert
[ Ca-tf Archive ]
