[ca-tf] Notes on policy discussion, 5 October

[Chris Buckridge chris@localhost]

Hi all,

Please find attached some notes from yesterday's discussion.

Regards,
Chris

-----

Attending: Andrew de la Haye, Andrei Robachevsky, Axel Pawlik, Nigel  
Titley, Ruediger Volk, Gert Doering, Sander Steffann, Filiz Yilmaz,  
Chris Buckridge (scribe)
Andrew noted that Nigel's proposal is currently "stalled" in the PDP.  
It was agreed that it is better to continue editing and working with  
this proposal than to abandon it and submit a new one.
It was noted that the Certification Policy (CP) document is in the  
IETF process for review.
The Certification Practice Statement (CPS) is something that the TF  
can assist with drafting, and should be closely related to the  
certification policy eventually endorsed by the community. Ruediger  
noted that it would be useful to get from the RIPE NCC some initial  
ideas for what the CPS should contain.
It was noted that the TF is now taking active responsibility for  
moving the policy discussion forward, making it more tangible for the  
community. Andrei feels that there are principled questions, around  
which there is some contention, and we should not avoid those  
questions in drafting the CPS.
Ruediger noted that doing policy while ignoring the applications is  
naive, and we need to identify the gaps or problems and address these  
to gain community support. There were very strong reservations  
expressed in Dubai, particularly in regard to the use of certificates  
in routing. People will be reluctant to install certificates if they  
have reasons to fear that routing may be stopped due to unexpected  
events relating to certificates (revocation).
He suggested that the RIPE policy include rules to prevent things  
happening in the regular, specified procedures that would be  
considered "unexpected withdrawal". If unwanted events are minimised  
and there means of ensuring people know how to deal with unwanted  
events when they do occur, then we could get to a proposal that no one  
would object to.
Andrei noted that even with PKI, you can put "cushions" at the  
decision point, and that if we take a position that RPKI simply is an  
extension of address allocation policies, then we can defend our  
position.
Nigel agreed, but noted that if secure routing is implemented, then  
revoking a certificate will have an effect on routing.
Ruediger suggested that if certificate holders know that they can  
override a revocation record, and the general policies include the  
rule that re-assignments will never happen for space around which  
there is a dispute, this would o some way to addressing community  
concerns.
He also suggested consulting with PKI experts, and see if it is  
possible to design the system such that revocation can only occur with  
the holder's explicit consent (though the certificate could also  
naturally expire). The policy needs to say that if the RIPE NCC is  
compromised, then replacement certificates must be issued with the  
same info. Even if someone hasn't been paying their dues, if the  
certificate was valid (and not otherwise expiring) must be replaced/ 
maintained.
It was agreed that Nigel will summarise problem, summarise suggested  
solutions and present to the Address Policy WG. Further community  
discussion can then be taken to the mailing list. Ruediger also  
suggested asking Steve Kent to do impromptu presentation on how  
bypassing revocation could work.
Ruediger noted that the system should deliver on uniqueness of  
resources - if there is any kind of dispute, then there cannot be  
certificates, except in the temporary case of transfers between RIR  
regions.