On Mon, May 6, 2019 at 2:04 PM Owen DeLong <[email protected]> wrote: > To reduce this to one, you first need to identify an organization that can be > Trusted with that authority, literally the ability to revoke the valid status > of > every route on the internet (or at least every route that has a corresponding > ROA in the RPKI system. > Who do you nominate for that function?
I would suggest making an expiration date 15 years forward as the sole revocation mechanism: declining to implement the processing of real-time revocation down to RIR CAs by utilizing issuance policies where no CRL, OCSP, or other distribution URLs would be specified for certificates listed for production issued to RIR CA, or root RPKI CA, or RPKI intermediary certificates. Or at least have that the URLs given for distribution URLs should be URLs on hostnames RIRs control, from which any CRLs are listed. The requirement for revocation of one of the small number of RIR-level cert or parent should be so rare, that it can be made a process where operators would need to manually download the CRL if required (that should be set to never expire) and apply it to their own routers. This is a case where you need routers already up and running with announcements accepted, before the connectivity required to check certificate revocations by fetching status from OCSP or CRL distribution points should even exist. -- -JH _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
