This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] Re: the implications of RPKI certificate revokation
- Previous message (by thread): [address-policy-wg] Re: the implications of RPKI certificate revokation
- Next message (by thread): [address-policy-wg] the implications of RPKI certificate revokation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Millnert
millnert at gmail.com
Thu May 5 10:44:07 CEST 2011
On Thu, May 5, 2011 at 4:21 AM, Brian Nisbet <brian.nisbet at heanet.ie> wrote: > On 05/05/2011 08:45, Jim Reid wrote: >> >> On 4 May 2011, at 17:24, Brian Nisbet wrote: >> >>> You seem to be imagining a scenario where a national governement would >>> just ring up the NCC and say, "revoke these certs." I have seen no >>> evidence to suggest this risk is anything close to real. >> >> I suppose this depends on the definition of "real" and "evidence" Brian. >> >> If the NCC gets told to revoke a cert -- eg via a Dutch court order or >> equivalent -- it will have to do that. It would be sensible to assume >> that well-funded and/or litigious organisations might well be minded to >> pursue that avenue if they think getting a cert revoked will either >> disrupt or shut down some activities they dislike. Or bury their >> opponents in legal costs before it gets to the point where a court order >> gets issued. Certificates for routing will provide another vector for >> these sorts of layer-9 and up attacks. IMO it's foolish to assume or >> pretend otherwise. > > My point was not that the cert could not be revoked (although Sander's > follow-up post would suggest that might be the case), rather that it would > be a long and difficult process. Certainly far, far more difficult than a > government picking up the phone and saying "We are in a state of national > emergency/rebellion/worried our citizens are learning things, shut down the > Internet now." Simply by having the possibility to revoke certifications or db entries, the RIPE NCC invites gunned madmen, be them from governments or not, to enter their offices and make them make certain unwanted sites/prefixes on the internet disappear. I'd prefer if there was no reason for them to attempt this, since there would be no technical way to do it. Why is revocation of assigned addresses in this manner necessary? Kind Regards, Martin
- Previous message (by thread): [address-policy-wg] Re: the implications of RPKI certificate revokation
- Next message (by thread): [address-policy-wg] the implications of RPKI certificate revokation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]