This is what I was thinking.
There would need to be an overlap otherwise there could potentially be a
disruption.
I guess a couple of questions on exactly how the process would work-
Would ARIN require the org to re-request hosted access with a new key
pair (the key to sign the ROA requests)? - ideally, no. A new resource
certificate should be generated (assuming the org was in good standing)
During the overlap period, would the org be asked which hosted resource
certificate to use? - I don't see a value in that. If more than one
resource certificate exists, use the one with the longest validity period.
Would there be a notification of the hosted resource certificate
expiring? Ideally, yes. This raises the question about notification of
expiration of individual ROAs, which may be a different discussion.
Thank you.
On 11/2/2017 1:23 AM, Owen DeLong wrote:
IMHO I should be able to create a new certificate up to 1 year prior to
expiration of the old one and during the overlap period, ROAs signed using
either certificate should validate.
Owen
On Nov 1, 2017, at 19:12, Mark Kosters <[email protected]> wrote:
Hi Andrew
That was a good question – one that merited a bit of research on our part.
Here’s what we have.
Yes, ROAs can not be created with dates past the expiration of the hosted
certificate.
As for what to do when the time approaches where the hosted cert needs to be
renewed, we are wondering what you (and others) would prefer as a way going
forward?
Thanks,
Mark
On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo"
<[email protected] on behalf of [email protected]> wrote:
Greetings:
A question came up at an Internet2 meeting concerning hosted RPKI.
Specifically- what happens at the expiration of the Hosted Certificate?
I see that the hosted certificate has a 10-year validity period, and
ROAs can not be created with dates past the expiration of the Hosted
Certificate.
When the expiration of this certificate is approaching, what is the
procedure? Do we need to re-request Hosted Access? Regenerate ROAs?
Will there be an overlap period where both the expiring and new
certificates & ROAs will both be valid (to avoid any gaps in coverage)?
Thank you.
_______________________________________________
arin-tech-discuss mailing list
[email protected]
http://lists.arin.net/mailman/listinfo/arin-tech-discuss
_______________________________________________
arin-tech-discuss mailing list
[email protected]
http://lists.arin.net/mailman/listinfo/arin-tech-discuss
_______________________________________________
arin-tech-discuss mailing list
[email protected]
http://lists.arin.net/mailman/listinfo/arin-tech-discuss
