[routing-wg] Late Revocation of CA Certificates due to Bug in RIPE NCC CA Software
- Previous message (by thread): [routing-wg] Late Revocation of CA Certificates due to Bug in RIPE NCC CA Software
- Next message (by thread): [routing-wg] RIPE 86 routing-wg co-chair selection procedure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Wed May 17 19:25:36 CEST 2023
> As a result of a software bug introduced in our RPKI CA system on 16 > May at around 08:49 UTC, our CA system failed to revoke certificates > for members/End Users that lost their final resources. > > This issue affected two certificates, one containing a /22 and another > containing a single AS Number. In violation of our CPS [0, Section > 4.9.5], we did not revoke the affected certificates within eight hours > of changing the resources. These certificates did not issue any > leftover CA products (ROAs). > > A fix for this issue was deployed to production today, 17 May at 08:20 > UTC, and the two certificates were correctly revoked at 08:29 UTC on > 17 May. > > Since the /22 certificate involved the consolidation of resources and > no ROAs were present, we believe there was no impact on the validity > of prefixes. Similarly, there was no impact for the AS Number > returned to the free pool. > > We have checked the prefixes affected by all transfers that happened > during the time period the bug was present. No other certificates were > affected: Either the CA still had resources, or there was no CA > certificate for the member/End User to lose resources. great post mortem. thank you. and sympathies, of course. can i apply for a refund? :) randy
- Previous message (by thread): [routing-wg] Late Revocation of CA Certificates due to Bug in RIPE NCC CA Software
- Next message (by thread): [routing-wg] RIPE 86 routing-wg co-chair selection procedure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]