[ca-tf] Certification-Policy Proposal - next steps?
Robert Kisteleki robert at ripe.net
Fri Mar 26 19:11:59 CET 2010
Hi, (Again, I'm only addressing the technicalities here.) On 2010.03.25. 6:45, Gert Doering wrote: >> We have another problem, that some administrations see the ability of >> the RIRs to withdraw a certificate (and hence shut off prefixes from >> being routed) as an infringement of national sovereignty. There isn't a >> solution to this although it may be ameliorated by the RIPE NCC making a >> public statement that it will only ever withdraw a certificate as a >> result of a Dutch court order, and then only after having exhausted all >> legal avenues of dispute. > > We had a nice technical trick presented: if the revocation certificate > contains the *reason* for the revocation (non-payment, governmental > mandate, ...), and the client software can be configured to ignore > certain types of revocations, and keep the certificate it has in its > cache, then the ISPs can decide to just ignore such measures by the > administration. > > ... thus making it useless, and stopping it cold ("you could do this but > since it won't have an effect, you could as well just let it be"). Data point: the applicable standard (RFC 5280, section 5.3.1) does not support the above revocation reasons. Robert
[ Ca-tf Archive ]