Hi David et. al. This is good input. The code was written to match the lifetime of the resource cert. We can certainly lower the default down. Is 3 years the consensus?
Thanks, Mark From: arin-tech-discuss <[email protected]> on behalf of David Farmer <[email protected]> Date: Friday, January 11, 2019 at 12:10 PM To: Christopher Morrow <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [arin-tech-discuss] RPKI How long to set a ROA certificate On Fri, Jan 11, 2019 at 1:13 AM Christopher Morrow <[email protected]<mailto:[email protected]>> wrote: On Thu, Jan 10, 2019 at 10:29 PM Delacruz, Anthony B <[email protected]<mailto:[email protected]>> wrote: The default using ARIN systems looks to be 10 years. That just feels like too long given how other certificates I interact with expire. What is everyone else that seems very long. I expect it might make sense to think about how long do you expect to need the ROA (for example)? and how often will your automation be able to update all objects which need to be updated? One other thing to keep in mind is how long do you think a 'lost' object to be usable? I agree that is long, and probably too long for the default, but it's not insanely long, for much of the Internet prefixes don't change very much once they are advertised and typically the prefixes allocated or assigned are the ones advertised. The prefixes intentional advertised by our network have been stable for several decades, yes we have added new prefixes, but in the last thirty years, only one of our prefixes has had a more specific added to our list of intentionally advertised prefixes once initially advertised. The nature and longevity (more than 150 year) of our institution lends itself to an abnormally high level of stability, nevertheless for much of the Internet stability in scale of several years is the norm. tending to do? We’re just putting our toe in the water for this so using the hosted to accommodate a few customers as we research and test doing delegated which probably would be 2 or so years out. Would I run into trouble if it’s too long then switch to us running on our servers? I wouldn’t think so just expire it and issue new ones right? Any tips on running hosted for a while with intent to switch to delegated? seems correct to me, there may be more wonkery required than at first blush seems right, but :) I think somewhere between 2 to 5 years is reasonable and going to be common, probably starting out closer to 2 years and over time moving closer to 5 years as everyone gains experience. But if you are just dipping your toes in the water 1 or 2 years seems perfectly appropriate. I'd like to see ARIN change the default to 3 years, 10 year is way too long for the default, 10 years might be a reasonable maximum though. I'm suggesting 3 years to help encourage people to not use too short of time, but also these things need to be regularly evaluated and update too, 3 years seems a reasonable balance of the issues, at least without additional knowledge of other circumstances involved. -- =============================================== David Farmer Email:[email protected]<mailto:email%[email protected]> Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
_______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
