[routing-wg] request for feedback: a RPKI Certificate Transparency project?

Hi all,

Someone asked me off-list whether I had in mind to track all ROAs (they
were concerned about scaling) or something else? A great question!

I see as goal for Certificate Transparency in context of the RPKI is to
track (in an immutable log) the delegations of authority as certified by
the the RIRs and NIRs. The value of specifically tracking the resource
delegations is twofold:

    A) Resource holders can monitor whether they (accidentally) lost any
       entitlements to any of their resources (aka, a "cryptographic
       service outage" from the perspective of the resource holder)

    B) Resource holders can monitor whether some other entity
       (accidentally) received entitlements to specific resources. (aka,
       the INR holder being at risk of a "cryptographic hijack")

To have adequate and complete insight into the activities of the
cryptopgrahic engine at RIPE NCC (and places like ARIN, LACNIC, NIC.MX,
NIC.BR, etc), the Certificate Transparency principles only need to be
applied to the "Production CA" (using RIPE-751 lingo), not to the
subordinate products of Hosted CAs (such as ROAs), or Delegated CAs.

Tracking the issuance of RPKI ".cer" files is in the order of "tens of
thousands", with a growth curve which potentially maps to RIR membership
growth/consolidation. These are low numbers. The RPKI numbers are a
fraction of what "WebPKI" Logs and Auditors observe, which is good news,
it means we can use small servers! :-)

What to track and what not to track is up for discussion! Certificate
Transparency for RPKI does not yet exist.

Kind regards,

Job