[ca-tf] Policy proposal

On Mon, 2010-05-03 at 16:28 +0200, Andrei Robachevsky wrote:
> Nigel,
> 
> Nigel Titley wrote on 3/5/10 2:58 PM:
> > Folks
> > 
> > Following this morning's discussion, here is my proposal for the slide
> > set. I think it roughly summarises the discussion. It may look a bit
> > bald, but the supporting patter should take the edge off.
> > 
> > Comments and brickbats please. I know it is less than ideal, but we need
> > to get *something* agreed out there.
> > 
> > Nigel
> > 
> 
> I am not sure if I am interpreting the proposal correctly (slide 7), but
> does "not tied to RIPE NCC membership" imply that the certificates are
> not based on business relationships between the holder and the RIPE NCC
> anymore?

Yes. And this is manifestly non-optimal. However it may do as an interim
policy, just to get this off the ground.

> The 3-5 year validity period implies that we re-issue certificates also
> once in 3-5 years. That also means that the community is OK with the
> decreasing quality of the initial cert statement over this long period
> of time.

Yes, indeed it does.

> IMO "Certificates revoked on address re-assignment" effectively means
> that only voluntarily returned space can be reclaimed.

Not at all. Under any condition in which the RIPE NCC would re-assign
address space, they will revoke the original certificate and allow the
new holder to request the issue of a new one. So using the existing
operational procedures, the address will

1. Have been reclaimed by the RIPE NCC
2. Not been routed for 4 months

If this is what you mean by voluntarily returned space then so be it. I
would prefer to refer to it as uncontested reclaimed space.

> I am a bit worried that with these sacrifices we may decrease the
> utility of the resulting tool for routing security too much.

We are all in agreement that this is a non optimal solution. However we
will sit around until the sun is a cold, dead clinker unless we make
some concessions.

Nigel