Job Snijders wrote on 25/02/2025 18:40:
I personally think it is helpful for both the community and RIPE NCC to have
an inkling of an idea what 'reasonable efforts' might constitute, to shape
expectations.
yep, agreed. As I understand it, the RIPE NCC often uses WG discussions
to shape their opinions on how to build working procedures.
Secondly in terms of timelines, the NCC will have some form of communication
details for the CAs, as part of setting them up in the first place. I'd
suggest a graduated approach to this:
1. notification after X months of fresh manifest non-availability
2. warning after Y months
3. removal after Z months
If delegation is removed without warnings, this will invite people to
complain.
Sure, but does that need to be part of the policy?
I'd suggest putting in some text to cover this, for example:
If RIPE NCC is unable to discover and validate a Delegated RPKI
Certification Authority's (CA's) current Manifest and CRL for one
hundred consecutive days, that Delegated CA's resource certificate shall
be revoked by the RIPE NCC. RIPE NCC shall make reasonable efforts to
discover new Manifests, to notify the Delegated CA operator if a current
Manifest and CRL cannot be validated, and to notify the operator if the
delegation is revoked."
Minor nit: it would be more normal to use calendar months for longer
time periods instead of base-10 numbers of days. I'd suggest
reconsidering the 100 days thing, especially if there's a gradual
response approach implemented, e.g. 1 month between notification,
warning and revocation.
What's the difference between step 1 and step 2 in your listing?
1. "hey, we've noticed that there's a problem"
2. "this is going on too long. as it has operational consequences for
other operators, if you don't fix this by date XXXX, the delegation will
be revoked".
3. "still broken, so we've pulled the delegation."
What if the notification emails can't be delivered, should that delay the
revocation?
1. it's the responsibility of the resource holder to ensure that their
contact details are accurate and 2. no, it shouldn't delay the
revocation. There is an option to add delegated CA contact checks into
the ARC. I don't know whether this would add enough value to justify it.
Nick
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
