> As a result of a software bug introduced in our RPKI CA system on 16 > May at around 08:49 UTC, our CA system failed to revoke certificates > for members/End Users that lost their final resources. > > This issue affected two certificates, one containing a /22 and another > containing a single AS Number. In violation of our CPS [0, Section > 4.9.5], we did not revoke the affected certificates within eight hours > of changing the resources. These certificates did not issue any > leftover CA products (ROAs). > > A fix for this issue was deployed to production today, 17 May at 08:20 > UTC, and the two certificates were correctly revoked at 08:29 UTC on > 17 May. > > Since the /22 certificate involved the consolidation of resources and > no ROAs were present, we believe there was no impact on the validity > of prefixes. Similarly, there was no impact for the AS Number > returned to the free pool. > > We have checked the prefixes affected by all transfers that happened > during the time period the bug was present. No other certificates were > affected: Either the CA still had resources, or there was no CA > certificate for the member/End User to lose resources.
great post mortem. thank you. and sympathies, of course. can i apply for a refund? :) randy -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
